Administration Guide

FortiProxy 7.0
FORTINET DOCUMENT LIBRARY
https://docs.fortinet.com

FORTINET VIDEO GUIDE

https://video.fortinet.com

FORTINET BLOG
https://blog.fortinet.com

CUSTOMER SERVICE & SUPPORT

https://support.fortinet.com

FORTINET TRAINING & CERTIFICATION PROGRAM

https://www.fortinet.com/training-certification

NSE INSTITUTE
https://training.fortinet.com

FORTIGUARD CENTER
https://www.fortiguard.com

END USER LICENSE AGREEMENT

https://www.fortinet.com/doc/legal/EULA.pdf

FEEDBACK
Email: techdoc@fortinet.com

February 10, 2023

FortiProxy 7.0 Administration Guide
45-700-717314-20230210
 TABLE OF CONTENTS

Change log 11
Introduction 12
Supported protocols 12
About this document 13
Deployments 14
Transparent and NAT/route modes 14
Web proxy 15
Web proxy concepts 16
Explicit web proxy concepts 17
Transparent web proxy concepts 19
Explicit web proxy topologies 19
WAN optimization 20
WAN optimization transparent mode 20
WAN optimization topologies 21
Web caching 24
Collaboration web caching 25
Web-caching topologies 26
WCCP 27
WCCP topology 27
Dashboard 29
Managing widgets 31
System Information widget 32
Licenses widget 33
Virtual Machine widget 34
FortiProxy Cloud widget 34
Security Fabric widget 35
Administrators widget 35
CPU widget 36
Memory widget 36
Sessions widget 37
SSL-VPN widget 37
IPSec widget 38
Forward Server Monitor widget 7.0.9 38
User dropdown menu 39
GUI-based global search 39
FortiView 40
FortiView dependencies 40
FortiView interface 42
FortiView consoles 43
Using the process monitor 49
Proxy Settings 50
Explicit Proxy 50

FortiProxy 7.0 Administration Guide 3

Fortinet Inc.
 Create or edit an explicit web proxy 51
Web Proxy Setting 54
Web Proxy Profile 57
Create or edit a web proxy profile 57
Create or edit an HTTP header 60
Forwarding Server 62
Create or edit a forwarding server 63
Server URL 66
Create or edit a URL match entry 67
FTP Proxy 69
FTPS handling 71
Isolator Server 71
Create or edit an isolator server 72
Proxy Options 73
Video streaming splitting 74
Configuring TCP windows 75
Handling SSL offloaded traffic from an external decryption device 76
HTTP domain fronting blocking 77
Create or edit a proxy option profile 77
Create a CIFS proxy option 80
SSL Keyring 81
Network 83
Interfaces 83
Link health monitor 87
Create or edit an interface 89
Create or edit a zone 94
GRE Tunnel 96
Create or edit a GRE tunnel 97
DNS Settings 99
Using the FortiProxy unit as an IPv6 DDNS client for generic DDNS 101
Use DNS over TLS for default FortiGuard DNS servers 102
DNS Service 103
Create or edit a DNS service 104
Create or edit a DNS zone 105
Create or edit a DNS entry 106
Packet Capture 107
Create or edit a packet capture filter 108
Static routes 110
Create or edit a static route 110
Policy routes 113
Configuring a policy route 113
Policy & Objects 116
Policy 116
Change how the policy list is displayed 119
How list order affects policy matching 119
Policy rules and authentication rules 119
Move a policy 119

FortiProxy 7.0 Administration Guide 4

Fortinet Inc.
 Copy and paste a policy 120
Policy lookup 120
Web cache policy address formats 120
Create or edit a policy 121
SSH policy matching 135
Authentication Rules 136
Create or edit an authentication rule 139
Create or edit an authentication scheme 142
Agentless NTLM support 144
Domain name source when doing NTLM authentication 145
Proxy Auth Setting 145
Traffic shaping 148
Traffic shapers 148
Traffic-shaping policy 152
Central SNAT 154
Create or edit a central SNAT policy 155
PAC Policy 158
Create or edit a PAC policy 159
Edit a PAC file 160
Policy Test 161
Decrypted Traffic Mirror 162
Create or edit a decrypted traffic mirror profile 163
Addresses 164
Create or edit an address 166
Create or edit an address group 169
Create or edit an IPv6 address template 171
Edit a subnet segment 173
Internet Service Database 175
Services 175
Create or edit an application service 177
Create or edit a service 178
Create or edit a service group 180
Create a service category 183
Schedules 184
Create or edit a schedule 185
Create or edit a schedule group 187
Virtual IPs 189
Create or edit a virtual IP 190
Create or edit a virtual IP group 192
IP Pools 194
Create or edit an IP pool 195
ZTNA 196
Full ZTNA and IP/MAC filtering 196
ZTNA telemetry, tags, and policy enforcement 196
Access proxy 197
Basic requirements for ZTNA configuration 197
Basic ZTNA configuration 197
Connect a ZTNA access proxy to an SSL VPN web portal 209

FortiProxy 7.0 Administration Guide 5

Fortinet Inc.
 UTM scanning on TCP forwarding access proxy traffic 213
Increase ZTNA and EMS tag limits 7.0.4 215
Use FQDN with ZTNA TCP forwarding access proxy 216
Security Profiles 220
Order of execution of security profiles 222
AntiVirus 223
Create or edit an antivirus profile 224
Web Filter 230
Create or edit a web filter profile 231
Create or edit a URL filter 237
Create or edit a content filter 238
Video Filter 239
Create or edit a video filter profile 239
Create or edit a channel override entry 242
DNS Filter 242
Create or edit a DNS filter profile 243
Create or edit a domain filter 246
Create or edit a DNS translation entry 247
Application Control 247
Create or edit an application sensor 248
Create or edit a default network service 251
Add or edit an application override 252
Add or edit a filter override 252
Intrusion Prevention 253
Create or edit an IPS sensor 253
Add or edit an IPS signature or filter 255
File Filter 256
Create or edit a file filter profile 256
Create or edit a file filter rule 258
Email Filter 259
Create or edit an email filter profile 260
Web Application Firewall 262
Create or edit a web application firewall profile 263
Create or edit a method policy 265
SSL/SSH Inspection 266
SSL/SSH inspection profile 266
Create or edit an SSL/SSH inspection profile 267
Application Signatures 275
Create or edit an application signature 276
Create or edit an application group 277
IPS Signatures 278
Highlight of on-hold IPS signatures 279
Create or edit an IPS signature 280
Web Rating Overrides 281
Create or edit a web rating override 282
Create or edit a custom category 283
Web Profile Overrides 283

FortiProxy 7.0 Administration Guide 6

Fortinet Inc.
 Create or edit a web profile override 284
Profile Groups 286
Data Leak Prevention 287
Create or edit a DLP sensor 289
Create or edit a DLP filter rule 291
DLP File Pattern 298
Create or edit a DLP file pattern 298
Content Analyses 300
Image Analysis 300
Validating Content Analysis 301
Create or edit an Image Analysis profile 301
ICAP Profile 303
Create or edit an ICAP profile 304
ICAP Remote Server 306
Create or edit an ICAP remote server 307
ICAP Load Balancing 309
ICAP Local Server 310
Create or edit an ICAP local server 310
Create or edit an ICAP service 312
ICAP scanning with FTP 312
WAN Optimization 315
Profiles 315
Create or edit a WAN optimization profile 316
Peers 319
Create or edit a WAN optimization peer 320
Authentication Groups 320
Create or edit an authentication group 321
Web Cache 324
Settings 324
HTTP traffic caching reports 327
WCCP Settings 329
WCCP service groups, numbers, IDs, and well-known services 329
WCCP configuration overview 330
Example: Caching HTTP sessions 330
WCCP packet flow 334
Configure forward and return methods and adding authentication 334
WCCP messages 335
Troubleshooting WCCP 335
User Agent 336
Create or edit a user agent 337
Reverse Cache Server 338
Create or edit a reverse cache server 338
Prefetch URLs 339
Prefetch File 341
Create or edit a prefetch file 342

FortiProxy 7.0 Administration Guide 7

Fortinet Inc.
 VPN 344
IPsec VPN 344
SSL-VPN 344
IPsec Tunnels 345
Edit an IPsec tunnel 346
IPsec Wizard 350
Create a custom VPN tunnel 352
IPsec Tunnel Template 356
SSL-VPN Portals 357
Create or edit an SSL-VPN portal 357
Create or edit a bookmark 361
Create or edit a DNS entry 361
SSL-VPN Settings 362
Dual-stack IPv4 and IPv6 support for SSL VPN 365
Create or edit an authentication/portal mapping 366
SSL-VPN Personal Bookmarks 366
SSL-VPN Realms 367
Create or edit an SSL-VPN realm 368
User & Authentication 370
User Definition 370
Create a user 371
Edit a user 374
User Groups 375
Create or edit a user group 377
Guest Management 379
Create or edit a guest user account 380
Create multiple guest user accounts 380
LDAP Servers 381
Create or edit an LDAP server 382
RADIUS Servers 384
Create or edit a RADIUS server 385
TACACS+ Servers 386
Create or edit a TACACS server 388
Kerberos 389
Create or edit a Kerberos authentication service 390
SAML 390
Create or edit a SAML server 392
FortiTokens 394
FortiToken authentication process 395
FortiToken Mobile Push 396
Migrate FortiToken Mobile users from FortiProxy to FortiToken Cloud 397
Add or edit a FortiToken 397
Activate a FortiToken on the FortiProxy unit 398
Associate FortiTokens with accounts 399
FortiToken maintenance 400

FortiProxy 7.0 Administration Guide 8

Fortinet Inc.
 System 402
Administrators 402
Create or edit an administrator 403
Create or edit a REST API administrator 406
Admin Profiles 408
Create or edit an administrator profile 409
Firmware 411
Settings 412
HA 416
HA multiple unicast peers 418
Cache Collaboration 419
SNMP 419
Fortinet MIBs 423
SNMP agent 424
Create or edit an SNMP community 424
Create or edit an SNMP user 428
Replacement Messages 430
Replacement Message Groups 438
Custom ZTNA virtual host replacement message 439
FortiGuard 440
Setting automatic updates for FortiGuard packages 443
FortiGuard Outbreak Prevention 443
Antiphish pattern database 443
Feature Visibility 444
Certificates 446
Certificate list 447
Certificate Signing Requests 448
Import a local certificate 451
Import a CA certificate 454
Upload a remote certificate 454
Import a CRL 454
View certificate details 455
Default certificate authority 455
Security Fabric 457
Fabric Connectors 457
Simplify EMS pairing with Security Fabric so one approval is needed for all devices 457
External Connectors 458
External threat feeds 459
Malware hashes 461
IP addresses 461
Asset Identity Center 462
Diagnostics for the unified user device store 463
Log & Report 465
Debug logs 466
Logs for the execution of CLI commands 466
Filter WAD log messages by process types or IDs 466

FortiProxy 7.0 Administration Guide 9

Fortinet Inc.
 Types of logs 467
Local Reports 470
Log Settings 470
Memory debugging 472
Local logging and archiving 473
Remote logging to a syslog server 473
Forward traffic and HTTP transaction logs' client IP address 474
Threat Weight 474
Email Alert Settings 475
How to configure email notifications 476
Appendices 479
Perl regular expressions 480
Block common spam phrases 481
Block purposely misspelled words 481
Block any word in a phrase 481
Preload cache content and web crawler 482
execute preload list 482
execute preload show-log 482
execute preload url 482
execute preload url-delete 483
Examples 483
Automatic backup to an FTP or TFTP server 484
Manual backups to a remote FTP or TFTP using IPv4 484
Manual backups to a remote FTP or TFTP using IPv6 484
Scheduled automatic backups with an auto script 484
Manual backups with SCP 486
Scheduled automatic backups with SCP 486
Custom signature keywords 488
Information keywords 488
Session keywords 489
Content keywords 490
IP header keywords 499
TCP header keywords 501
UDP header keywords 503
ICMP keywords 504
Other keywords 504

FortiProxy 7.0 Administration Guide 10

Fortinet Inc.
Change log

Date Change Description

2023-02-10 Updated the following topics for 7.0.9 new features and changes:
l Dashboard on page 29

l ICAP Remote Server on page 306

l Create or edit an ICAP remote server on page 307

2023-02-06 Updated the following topics:

l IP Pools on page 194

l Create or edit an IP pool on page 195

2022-10-13 Updated Policy routes on page 113.

2022-08-12 Added Policy routes on page 113, and Default certificate authority on page 455.
Updated Replacement Messages on page 430, Create or edit an ICAP profile on page 304, and
Log & Report on page 465.

2022-06-23 Added FTPS handling on page 71, Create a CIFS proxy option on page 80, SSH policy
matching on page 135, Domain name source when doing NTLM authentication on page 145,
and Forward traffic and HTTP transaction logs' client IP address on page 474.

2022-04-12 Updated Transparent and NAT/route modes on page 14.

2022-04-08 Added SSL Keyring on page 81, Profile Groups on page 286, and Asset Identity Center on page
462.

2022-02-18 Added HA on page 416 and Client authentication with an SSL client certificate for the Original
Content Server on page 273.

2021-10-13 Added and updated multiple topics.

2021-09-03 Added Order of execution of security profiles on page 222.

2021-08-23 Initial release.

FortiProxy 7.0 Administration Guide 11

Fortinet Inc.
Introduction

FortiProxy provides a secure web gateway that protects against web attacks using URL filtering, visibility and control of
encrypted web traffic through SSL and SSH inspection, and the application of granular web application policies. Flexible
deployment modes cover inline, explicit, and transparent deployments.
l Application Control allows you to identify and control applications on networks and endpoints regardless of the port,
protocol, and IP address used. It gives you unmatched visibility and control over application traffic, even traffic from
unknown applications and sources.
l SSL and SSH inspection allows you to determine which inspection method will be applied to SSH and SSL traffic;
identify how to treat invalid, unsupported or untrusted SSL certificates; and configure which web sites or web site
categories are exempt from SSL inspection.
l Web filtering provides web URL filtering to block access to harmful, inappropriate, and dangerous web sites that can
contain phishing/pharming attacks, malware such as spyware, or objectionable content that can expose your
organization to legal liability. Based on automatic research tools and targeted research analysis, real-time updates
enable you to apply highly-granular policies that filter web access based on 78 web content categories, over 45
million rated web sites, and more than two billion web pages—all continuously updated.
l The FortiProxy data leak prevention (DLP) system allows you to prevent sensitive data from leaving your network.
When you define sensitive data patterns, data matching these patterns will be blocked or logged and allowed when
passing through the FortiProxy unit. You configure the DLP system by creating individual filters based on file type,
file size, a regular expression, an advanced rule, or a compound rule, in a DLP sensor and assign the sensor to a
security policy. Although the primary use of the DLP feature is to stop sensitive data from leaving your network, it
can also be used to prevent unwanted data from entering your network and to archive some or all of the content
passing through the FortiProxy unit.
The FortiProxy unit also provides WAN optimization, web caching, and WCCP. FortiProxy WAN optimization and web
caching improve performance and security of traffic passing between locations on your wide area network (WAN) or
from the Internet to your web servers. You can use the FortiProxy unit as an explicit FTP and web proxy server. In
addition, you can add web caching to any HTTP sessions including WAN optimization, explicit web proxy, and other
HTTP sessions.

Supported protocols

Application layer security

l SSH
l FTP/FTPS/FTPoHTTP/FTPoHTTPConnect
l SMTP/SMTPS
l IMAP/IMAPS
l POP3/POP3S
l CIFS/SMB
l MAPI/MAPIoRPC/MAPIoHTTPS
l DNS

FortiProxy 7.0 Administration Guide 12

Fortinet Inc.
Introduction

l ICAP/WCCP
l SCP/SFTP

VPN

l IPsec/SSL VPNs

About this document

This document contains the following sections:

l Deployments on page 14
l Dashboard on page 29
l Proxy Settings on page 50
l Network on page 83
l Policy & Objects on page 116
l Security Profiles on page 220
l Content Analyses on page 300
l WAN Optimization on page 315
l Web Cache on page 324
l VPN on page 344
l User & Authentication on page 370
l System on page 402
l Security Fabric on page 457
l Log & Report on page 465

Appendices:

l Perl regular expressions on page 480

l Preload cache content and web crawler on page 482
l Automatic backup to an FTP or TFTP server on page 484
l Custom signature keywords on page 488

FortiProxy 7.0 Administration Guide 13

Fortinet Inc.
Deployments

This section describes the following:

l Transparent and NAT/route modes on page 14
l Web proxy on page 15
l WAN optimization on page 20
l Web caching on page 24
l WCCP on page 27

Transparent and NAT/route modes

A FortiProxy unit can operate in either NAT/route mode or transparent mode.

In NAT/route mode, a FortiProxy unit is installed as a gateway or router between multiple networks, such as a private
network and the internet. One function of NAT/route mode is to allow the FortiProxy to hide the IP addresses on the
private network using NAT.
The FortiProxy operates in layer 2 to forward traffic between network devices such as routers, firewalls, and switches.
For example. it can be installed inline between a router and a switch to perform security scanning without changing the
network topology or modifying the IP addresses. When you add a FortiProxy that is in transparent mode to a network, it
only needs to be provided with a management IP address in order to access the device. It is recommended that a
dedicated interface be used to connect to the management network in transparent mode. Transparent mode is used
primarily when there is a need to increase network protection but changing the configuration of the network itself is
impractical.

Changing the operation mode removes most configurations, including any policies and
address objects. To keep your configuration, back it up before changing the mode.

To back up your configuration in the GUI:

1. Click on the user name and select Configuration > Backup.

2. Select where to store the backup file, Local PC or USB Disk (if available).
3. Optionally, enable Encryption and enter a password.
4. Click OK.

To back up your configuration in the CLI:

# execute backup {config | full-config} {flash | ftp | management-

station | sftp | tftp | usb | usb-mode} ...

FortiProxy 7.0 Administration Guide 14

Fortinet Inc.
Deployments

To change from NAT/route mode to transparent mode:

config system settings

set opmode transparent
set manageip <IP_address>
set gateway <gateway_address>
end

The gateway setting is optional, but after the operation mode has been changed, the gateway configuration is in the
static router settings:
config router static
edit <seq-num>
set gateway <IP_address>
next
end

To change from transparent mode to NAT/route mode:

config system settings

set opmode nat
set ip <IP_address>
set device <interface>
set gateway <gateway_address>
end

The IP and device settings are mandatory, and the gateway setting is optional. After the operation mode is changed, the
IP address configuration is in the interface settings and the gateway and device configurations are in the static router
settings:
config system interface
edit <interface>
set ip <IP_address>
next
end
config router static
edit <seq-num>
set gateway <IP_address>
device <interface>
next
end

Web proxy

Web proxy covers both transparent proxy and explicit proxy.

This section covers the following topics:
l Web proxy concepts
l Explicit web proxy concepts
l Transparent web proxy concepts
l Explicit web proxy topologies

FortiProxy 7.0 Administration Guide 15

Fortinet Inc.
 Deployments

Web proxy concepts

This section covers the following concepts that apply to both transparent proxy and explicit proxy:
l Proxy policy
l Proxy authentication
l Proxy addresses
l Web proxy firewall services and service groups
l Learn client IP

Proxy policy

Any time a security profile that uses a proxy is enabled, you need to configure the proxy options. Certain inspections
defined in security profiles require that the traffic be held in proxy while the inspection is carried out, and the proxy
options define how the traffic will be processed and to what level the traffic will be processed. In the same way that there
can be multiple security profiles of a single type, there can also be a number of unique proxy option profiles so that, as
the requirements for a policy differ from one policy to the next, you can also configure a different proxy option profile for
each individual policy or you can use one profile repeatedly.
The proxy options support the following protocols:
l HTTP
l FTP
l CIFS
l SSH
The configuration for each of these protocols is handled separately.

Proxy authentication

Authentication is separated from authorization for user-based policies. You can add authentication to proxy policies to
control access to the policy and to identify users and apply different UTM features to different users. The described
authentication methodology works with explicit web proxy and transparent proxy.
Authentication of web proxy sessions uses HTTP basic and digest authentication as described in RFC 2617 (HTTP
Authentication: Basic and Digest Access Authentication) and prompts the user for credentials from the browser allowing
individual users to be identified by their web browser instead of IP address. HTTP authentication allows the FortiProxy
unit to distinguish between multiple users accessing services from a shared IP address.
The authentication rule table defines how to identify user-ID. It uses the match factors:
l Protocol
l Source address
For one address and protocol, there is only one authentication rule. It is possible to configure multiple authentication
methods for one address. The client browser will chose one authentication method from the authentication methods list,
but you cannot control which authentication method will be chosen by the browser.

Proxy addresses

Proxy addresses are used for both transparent web proxy and explicit web proxy.

FortiProxy 7.0 Administration Guide 16

Fortinet Inc.
 Deployments

In some respects, they can be like FQDN addresses in that they refer to an alphanumeric string that is assigned to an IP
address, but then they go an additional level of granularity by using additional information and criteria to further specify
locations or types of traffic within the web site itself.

Proxy address group

In the same way that IPv4 and IPv6 addresses can only be grouped together, proxy addresses can only be grouped with
other proxy addresses. Unlike other address groups, the proxy address groups are further divided into source address
groups and destination address groups.

Web proxy firewall services and service groups

Web proxy services are similar to standard firewall services. You can configure web proxy services to define one or more
protocols and port numbers that are associated with each web proxy service. Web proxy services can also be grouped
into web proxy service groups.
One way in which web proxy services differ from firewall services is the protocol type you can select. The following
protocol types are available:
l ALL
l CONNECT
l FTP
l HTTP
l SOCKS-TCP
l SOCKS-UDP

Learn client IP

If there is another NATing device between the FortiProxy unit and the client (browser), this feature can be used to identify
the real client in spite of the address translation. Knowing the actual client is imperative in cases where authorization is
taking place.

Explicit web proxy concepts

The following is information that is specific to explicit proxy. Any information that is common to web proxy in general is
covered in Web proxy concepts on page 16.
You can use the FortiProxy explicit web proxy to enable explicit proxying of IPv4 and IPv6 HTTP and HTTPS traffic on
one or more FortiProxy interfaces. The explicit web proxy also supports proxying FTP sessions from a web browser and
proxy auto-config (PAC) to provide automatic proxy configurations for explicit web proxy users. From the CLI you can
also configure the explicit web proxy to support SOCKS sessions from a web browser. The explicit web and FTP proxies
can be operating at the same time on the same or on different FortiProxy interfaces.
In most cases, you would configure the explicit web proxy for users on a network by enabling the explicit web proxy on
the FortiProxy interface connected to that network. Users on the network would configure their web browsers to use a
proxy server for HTTP and HTTPS, FTP, or SOCKS and set the proxy server IP address to the IP address of the
FortiProxy interface connected to their network. Users could also enter the PAC URL into their web browser PAC
configuration to automate their web proxy configuration using a PAC file stored on the FortiProxy unit.

FortiProxy 7.0 Administration Guide 17

Fortinet Inc.
Deployments

Enabling the explicit web proxy on an interface connected to the Internet is a security risk
because anyone on the Internet who finds the proxy could use it to hide their source address.

If the FortiProxy unit is operating in transparent mode, users would configure their browsers to use a proxy server with
the FortiProxy management IP address.
The web proxy receives web browser sessions to be proxied at FortiProxy interfaces with the explicit web proxy enabled.
The web proxy uses FortiProxy routing to route sessions through the FortiProxy unit to a destination interface. Before a
session leaves the exiting interface, the explicit web proxy changes the source addresses of the session packets to the
IP address of the exiting interface. When the FortiProxy unit is operating in transparent mode, the explicit web proxy
changes the source addresses to the management IP address. You can configure the explicit web proxy to keep the
original client IP address.

Example explicit web proxy topology

To allow all explicit web proxy traffic to pass through the FortiProxy unit you can set the explicit web proxy default firewall
policy action to ACCEPT. However, in most cases you would want to use security policies to control explicit web proxy
traffic and apply security features such as access control/authentication, virus scanning, web filtering, application
control, and traffic logging. You can do this by keeping the default explicit web proxy security policy action to DENY and
then adding web-proxy security policies.
You can also change the explicit web proxy default security policy action to accept and add explicit web proxy security
policies. If you do this, sessions that match web-proxy security policies are processed according to the security policy
settings. Connections to the explicit web proxy that do not match a web-proxy security policy are allowed with no
restrictions or additional security processing. NOTE: This configuration is not recommended and is not a best practice.
The explicit web-proxy can accept VIP addresses for destination addresses. If an external IP matches a VIP policy, the
IP is changed to the mapped-IP of the VIP.
Web-proxy policies can selectively accept or deny traffic, apply authentication, enable traffic logging, and use security
profiles to apply virus scanning, web filtering, IPS, application control, DLP, and SSL/SSH inspection to explicit web
proxy traffic.
You cannot configure IPsec, SSL VPN, or traffic shaping for explicit web proxy traffic. Web proxy policies can only
include firewall addresses not assigned to a FortiProxy unit interface or with interface set to any. (On the web-based
manager, you must set the interface to any. In the CLI you must unset the associated interface.)
Authentication of explicit web proxy sessions uses HTTP authentication and can be based on the user’s source IP
address or on cookies from the user’s web browser.
To use the explicit web proxy, you must add the IP address of a FortiProxy interface on which the explicit web proxy is
enabled and the explicit web proxy port number (default 8080) to the proxy configuration settings of their web browsers.
You can also enable web caching for explicit web proxy sessions.

FortiProxy 7.0 Administration Guide 18

Fortinet Inc.
 Deployments

Transparent web proxy concepts

In addition to the explicit web proxy, the FortiProxy unit supports a transparent web proxy. While it does not have as
many features as explicit web proxy, the transparent proxy has the advantage that nothing needs to be done on the
userʼs system to forward supported web traffic over to the proxy. There is no need to reconfigure the browser or publish a
PAC file. Everything is transparent to the end user, hence the name. This makes it easier to incorporate new users into a
proxy deployment.
You can use the transparent proxy to apply web authentication to HTTP traffic accepted by a firewall policy.
Normal FortiProxy authentication is IP-address based. Users are authenticated according to their IP address and access
is allowed or denied based on this IP address. On networks where authentication based on IP address will not work, you
can use the transparent web proxy to apply web authentication that is based on the user's browser and not on their IP
address. This authentication method allows you to identify individual users even if multiple users on your network are
connecting to the FortiProxy unit from the same IP address.

Explicit web proxy topologies

You can configure a FortiProxy unit to be an explicit web proxy server for Internet web browsing of IPv4 and IPv6 web
traffic. To use the explicit web proxy, users must add the IP address of the FortiProxy interface configured for the explicit
web proxy to their web browser proxy configuration.

Explicit web proxy topology

If the FortiProxy unit supports web caching, you can also add web caching to the security policy that accepts explicit web
proxy sessions. The FortiProxy unit then caches Internet web pages on a hard disk to improve web browsing
performance.

Explicit web proxy with web caching topology

FortiProxy 7.0 Administration Guide 19

Fortinet Inc.
 Deployments

WAN optimization

FortiProxy WAN optimization consists of a number of techniques that you can apply to improve the efficiency of
communication across your WAN. These techniques include protocol optimization, byte caching, web caching, SSL
offloading, and secure tunneling. Protocol optimization can improve the efficiency of traffic that uses the CIFS, FTP,
HTTP, or MAPI protocol, as well as general TCP traffic. Byte caching caches files and other data on FortiProxy units to
reduce the amount of data transmitted across the WAN. Web caching stores web pages o FortiProxy units to reduce
latency and delays between the WAN and web servers. SSL offloading offloads SSL decryption and encryption from web
servers onto FortiProxy SSL acceleration hardware. Secure tunneling secures traffic as it crosses the WAN.
You can apply different combinations of these WAN optimization techniques to a single traffic stream depending on the
traffic type. For example, you can apply byte caching and secure tunneling to any TCP traffic. For HTTP and HTTPS
traffic, you can also apply protocol optimization and web caching.
You can configure a FortiProxy unit to be an explicit web proxy server for both IPv4 and IPv6 traffic and an explicit FTP
proxy server. Users on your internal network can browse the Internet through the explicit web proxy server or connect to
FTP servers through the explicit FTP proxy server. You can also configure these proxies to protect access to web or FTP
servers behind the FortiProxy unit using a reverse proxy configuration.
Web caching can be applied to any HTTP or HTTPS traffic, this includes normal traffic accepted by a security policy,
explicit web proxy traffic, and WAN optimization traffic.
You can also configure a FortiProxy unit to operate as a Web Cache Communication Protocol (WCCP) client or server.
WCCP provides the ability to offload web caching to one or more redundant web caching servers.
FortiProxy units can also apply security profiles to traffic as part of a WAN optimization, explicit web proxy, explicit FTP
proxy, web cache and WCCP configuration. Security policies that include any of these options can also include settings
to apply all forms of security profiles supported by your FortiProxy unit.
To check how much memory has been allocated for the WAN-optimization daemon (WAD), use the diagnose wad
memory track [<mem-id>] command.
WAN optimization supports TLS 1.3.

WAN optimization transparent mode

WAN optimization is transparent to users. This means that with WAN optimization in place, clients connect to servers in
the same way as they would without WAN optimization. However, servers receiving packets after WAN optimization
“see” different source addresses depending on whether or not transparent mode is selected for WAN optimization. If
transparent mode is selected, WAN optimization keeps the original source address of the packets, so servers appear to
receive traffic directly from clients. Routing on the server network should be configured to route traffic with client source
IP addresses from the server-side FortiProxy unit to the server and back to the server-side FortiProxy unit.

Some protocols, for example CIFS, may not function as expected if transparent mode is not
selected. In most cases, for CIFS WAN optimization you should select transparent mode and
make sure the server network can route traffic as described to support transparent mode.

If transparent mode is not selected, the source address of the packets received by servers is changed to the address of
the server-side FortiProxy unit interface that sends the packets to the servers. So servers appear to receive packets from
the server-side FortiProxy unit. Routing on the server network is simpler in this case because client addresses are not
involved. All traffic appears to come from the server-side FortiProxy unit and not from individual clients.

FortiProxy 7.0 Administration Guide 20

Fortinet Inc.
 Deployments

Do not confuse WAN optimization transparent mode with FortiProxy transparent mode. WAN
optimization transparent mode is similar to source NAT. FortiProxy transparent mode is a
system setting that controls how the FortiProxy unit processes traffic. See Transparent and
NAT/route modes on page 14.

WAN optimization topologies

The WAN optimization topologies are described in the following sections:

l Basic WAN optimization topology
l Out-of-path WAN optimization topology
l Topology for multiple networks
l WAN optimization with web caching

Basic WAN optimization topology

The basic FortiProxy WAN optimization topology consists of two FortiProxy units operating as WAN optimization peers
intercepting and optimizing traffic crossing the WAN between the private networks.

Security device and WAN optimization topology

FortiProxy units can be deployed as security devices that protect private networks connected to the WAN and also
perform WAN optimization. In this configuration, the FortiProxy units are configured as typical security devices for the
private networks and are also configured for WAN optimization. The WAN optimization configuration intercepts traffic to
be optimized as it passes through the FortiProxy unit and uses a WAN optimization tunnel with another FortiProxy unit to
optimize the traffic that crosses the WAN.
You can also deploy WAN optimization on single-purpose FortiProxy units that only perform WAN optimization. In the
out of path WAN optimization topology shown below, FortiProxy units are located on the WAN outside of the private
networks. You can also install the WAN optimization FortiProxy units behind the security devices on the private
networks.
The WAN optimization configuration is the same for FortiProxy units deployed as security devices and for single-purpose
WAN optimization FortiProxy units. The only differences would result from the different network topologies.

FortiProxy 7.0 Administration Guide 21

Fortinet Inc.
Deployments

Out-of-path WAN optimization topology

In an out-of-path topology, one or both of the FortiProxy units configured for WAN optimization are not directly in the
main data path. Instead, the out-of-path FortiProxy unit is connected to a device on the data path, and the device is
configured to redirect sessions to be optimized to the out-of-path FortiProxy unit.
The following out-of-path FortiProxy units are configured for WAN optimization and connected directly to FortiProxy units
in the data path. The FortiProxy units in the data path use a method such as policy routing to redirect traffic to be
optimized to the out-of-path FortiProxy units. The out-of-path FortiProxy units establish a WAN optimization tunnel
between each other and optimize the redirected traffic.

Out-of-path WAN optimization

One of the benefits of out-of-path WAN optimization is that out-of-path FortiProxy units only perform WAN optimization
and do not have to process other traffic. An in-path FortiProxy unit configured for WAN optimization also has to process
other non-optimized traffic on the data path.
The out-of-path FortiProxy units can operate in NAT/Route or transparent mode.
Other out-of-path topologies are also possible. For example, you can install the out-of-path FortiProxy units on the
private networks instead of on the WAN. Also, the out-of-path FortiProxy units can have one connection to the network
instead of two. In a one-arm configuration such as this, security policies and routing have to be configured to send the
WAN optimization tunnel out the same interface as the one that received the traffic.

Topology for multiple networks

As shown in the following figure, you can create multiple WAN optimization configurations between many private
networks. Whenever WAN optimization occurs, it is always between two FortiProxy units, but you can configure any
FortiProxy unit to perform WAN optimization with any of the other FortiProxy units that are part of your WAN.

FortiProxy 7.0 Administration Guide 22

Fortinet Inc.
Deployments

WAN optimization among multiple networks

You can also configure WAN optimization between FortiProxy units with different roles on the WAN. FortiProxy units
configured as security devices and for WAN optimization can perform WAN optimization as if they are single-purpose
FortiProxy units just configured for WAN optimization.

WAN optimization with web caching

You can add web caching to a WAN optimization topology when users on a private network communicate with web
servers located across the WAN on another private network.

FortiProxy 7.0 Administration Guide 23

Fortinet Inc.
Deployments

WAN optimization with web-caching topology

The topology above is the same as that shown in Basic WAN optimization topology on page 21 with the addition of web
caching to the FortiProxy unit in front of the private network that includes the web servers. You can also add web caching
to the FortiProxy unit that is protecting the private network. In a similar way, you can add web caching to any WAN
optimization topology.

Web caching

Web caching is a form of object caching that accelerates web applications and web servers by reducing bandwidth
usage, server load, and perceived latency.
Web caching involves storing HTML pages, images, videos, servlet responses, and other web-based objects for later
retrieval. These objects are stored in the web cache storage location defined by the config system storage
command. You can also go to System > Advanced to view the storage locations on the FortiProxy unit hard disks in the
System Storage Setting section.
There are three significant advantages to using web caching to improve HTTP performance:
l Reduced bandwidth consumption because fewer requests and responses go over the WAN or Internet
l Reduced web server load because there are fewer requests for web servers to handle
l Reduced latency because responses for cached requests are available from a local FortiProxy unit instead of from
across the WAN or Internet
When enabled in a web-caching policy, the FortiProxy unit caches HTTP traffic processed by that policy. A web-caching
policy specifies the source and destination addresses and destination ports of the traffic to be cached.
Web caching caches compressed and uncompressed versions of the same file separately. If the HTTP considers the
compressed and uncompressed versions of a file as the same object, only the compressed or uncompressed file will be
cached.
You can deploy a mix of hardware and virtual appliances, operating together and managed from a common centralized
management platform. FortiProxy high-performance web-caching virtual appliances address bandwidth saturation, high
latency, and poor performance caused by caching popular internet content locally for carriers, service providers,
enterprises and educational networks.

FortiProxy 7.0 Administration Guide 24

Fortinet Inc.
 Deployments

The FortiProxy unit supports the following:

l KVM hypervisor
l VMware hypervisor
l Xen hypervisor
l Hyper-V hypervisor

Collaboration web caching

Collaboration web caching allows multiple FortiProxy units within one organization to share all cached objects.
Cache-sharing requests are broadcasted from one FortiProxy unit to one or more destination FortiProxy units to prevent
loops. The first FortiProxy unit to respond to a cache-sharing request is accepted, and the rest of the responses are
ignored. Cache data from a remote (destination) FortiProxy unit participating in collaboration web caching is not saved to
the local (source) FortiProxy disk; instead the data is saved to the local memory cache.
NOTE: Sending and receiving cache-sharing requests can impact the performance of FortiProxy units that participate in
collaboration web caching. The performance impact depends on how many cache-sharing requests are being handled.
Use the following commands to connect a source FortiProxy unit to a destination FortiProxy unit for collaboration web
caching:
config wanopt cache-service
set collaboration enable
set device-id “fch-1”
config dst-peer
edit “peer-id”
set ip xxx.xxx.xxx.xxx
next
end
end

Use the following commands to identify all FortiProxy units participating in collaboration web caching:
config wanopt cache-service
set collaboration enable
set device-id “peer-id”
set acceptable-peers any
end

Use the following commands to allow a FortiProxy unit to accept cache-sharing requests:
config wanopt cache-service
set collaboration enable
set acceptable-peers any
end

For example, use the following commands to allow a destination FortiProxy unit to accept cache-sharing requests from a
single source FortiProxy unit:
config wanopt cache-service
set collaboration enable
set acceptable-peers src-peer
set device-id “peer-id”
config src-peer

FortiProxy 7.0 Administration Guide 25

Fortinet Inc.
 Deployments

edit “fch-1”
set ip xxx.xxx.xxx.xxx
next
end

Web-caching topologies

FortiProxy web caching involves one or more FortiProxy units installed between users and web servers. The FortiProxy
unit can operate in both Network Address Translator (NAT) and transparent modes. The FortiProxy unit intercepts HTTP
requests for web objects accepted by web cache policies, requests the web objects from the web servers, caches the
web objects, and returns the web objects to the users. When the FortiProxy unit intercepts subsequent requests for
cached web pages, the FortiProxy unit contacts the destination web server just to check for changes.
Most commonly the topology uses a router to route HTTP and HTTPS traffic to be cached to one or more FortiProxy
units. Traffic that should not be cached bypasses the FortiProxy units. This is a scalable topology that allows you to add
more FortiProxy units if usage increases.

Web-caching topology with web traffic routed to FortiProxy units

You can also configure reverse proxy web caching. In this configuration, users on the Internet browse to a web server
installed behind a FortiProxy unit. The FortiProxy unit intercepts the web traffic (HTTP and HTTPS) and caches pages
from the web server. Reverse proxy web caching on the FortiProxy unit reduces the number of requests that the web
server must handle, leaving it free to process new requests that it has not serviced before. Because all traffic is to be
cached, the FortiProxy unit can be installed in transparent mode directly between the web server and the Internet.

Reverse proxy web-caching topology

The reverse proxy configuration can also include a router to route web traffic to a group of FortiProxy units operating in
transparent mode. This solution for reverse proxy web caching is also scalable.

FortiProxy 7.0 Administration Guide 26

Fortinet Inc.
Deployments

Reverse proxy web-caching topology with web traffic routed to FortiProxy unit

When web objects and video are cached on the FortiProxy hard disk, the FortiProxy unit returns traffic back to client
using the cached object from cache storage. The clients do not connect directly to the server.
When web objects and video are not available in the FortiProxy hard disk, the FortiProxy unit forwards the request to
original server. If the HTTP response indicates it is a object that can be cached, the object is forwarded to cache storage,
and the HTTP request is served from cache storage. Any other HTTP request for the same object will be served from
cache storage as well.
The FortiProxy unit forwards HTTP responses that cannot be cached from the server back to the client that originated
the HTTP request.
All non-HTTP traffic and HTTP traffic that is not cached by FortiProxy will pass through the unit. HTTP traffic is not
cached by the FortiProxy unit if a web cache policy has not been added for it.

WCCP

You can also configure a FortiProxy unit to operate as a Web Cache Communication Protocol (WCCP) client. WCCP
provides the ability to offload web caching to one or more redundant web-caching servers.

WCCP topology

You can operate a FortiProxy unit as a WCCP cache engine. As a cache engine, the FortiProxy unit returns the required
cached content to the client web browser. If the cache server does not have the required content, it accesses the
content, caches it, and returns the content to the client web browser.

FortiProxy 7.0 Administration Guide 27

Fortinet Inc.
Deployments

WCCP topology

WCCP is transparent to client web browsers. The web browsers do not have to be configured to use a web proxy.

FortiProxy 7.0 Administration Guide 28

Fortinet Inc.
Dashboard

The dashboard provides a location to view real-time system information. By default, the dashboard displays the key
statistics of the FortiProxy unit itself, providing the memory and CPU status, licenses, and current number of sessions.
The dashboard provides a Network Operations Center (NOC) view with a focus on alerts. Widgets are interactive; by
clicking or hovering over most widgets, you can get additional information or follow links to other pages.
To access the main dashboard, go to Dashboard > Status.

Your browser must support JavaScript to view the dashboard.

The following widgets are displayed:

l System Information
l Licenses
l Virtual Machine
l FortiCloud Logs
l Security Fabric

FortiProxy 7.0 Administration Guide 29

Fortinet Inc.
Dashboard

l Administrators
l CPU
l Memory
l Proxy Sessions
l Advanced Threat Protection Statistics
You can add the following FortiView widgets to the dashboard:
l FortiView Applications
l FortiView Cloud Applications
l FortiView Countries/Regions
l FortiView Destination Firewall Objects
l FortiView Destination Interfaces
l FortiView Destination Owners
l FortiView Destinations
l FortiView Interface Pairs
l FortiView Policies
l FortiView Search Phrases
l FortiView Servers
l FortiView Sessions
l FortiView Source Firewall Objects
l FortiView Source Interfaces
l FortiView Sources
l FortiView Sources - WAN
l FortiView Traffic Shaping
l FortiView VPN
l FortiView Web Categories
l FortiView Web Sites
This section describes the following:
l Managing widgets
l System Information widget
l Licenses widget
l Virtual Machine widget
l FortiProxy Cloud widget
l Security Fabric widget
l Administrators widget
l CPU widget
l Memory widget
l Sessions widget
l SSL-VPN widget on page 37
l IPSec widget on page 38
l Forward Server Monitor widget 7.0.9 on page 38
l User dropdown menu on page 39
l GUI-based global search on page 39

FortiProxy 7.0 Administration Guide 30

Fortinet Inc.
Dashboard

Managing widgets

To rearrange widgets on the dashboard, drag the widgets by their title bars.
All widgets have the following two title bar options:

Resize Select the size of the widget.

Remove Remove the widget from the dashboard.

To add a FortiView widget to a dashboard:

1. Go to Dashboard > Status.
2. At the top the dashboard, click Add Widget.
3. Click + for the FortiView widget that you want to add.
The Add Dashboard Widgetwindow opens.

4. Click Specify if you want the widget to monitor all FortiProxy units instead of a single FortiProxy unit.
5. Select the time period to display.
6. Select Table View or Bubble Chart.
7. Select the Sort By value.
8. Click Add Widget.
The new widget is displayed in the main dashboard.
9. Click Close.

FortiProxy 7.0 Administration Guide 31

Fortinet Inc.
Dashboard

System Information widget

The System Information widget displays general system information, such as the FortiProxy unit serial number, firmware
version, host name, and system time. Clicking on the widget provides you links to two other pages:
l To configure settings, go to System > Settings.
l To update the firmware version, go to System > Firmware.

Hostname The host name of the current FortiProxy unit.

Serial Number The serial number of the FortiProxy unit. The serial number is specific to that unit
and does not change with firmware upgrades.

Firmware The version of the firmware currently installed on the FortiProxy unit. To update
the firmware version, go to System > Firmware.
By installing an older firmware image, some system settings might be lost. You
should always back up your configuration before changing the firmware image. To
back up your configuration, go to <user_name> > Configuration > Backup.
You must register your unit with Fortinet Customer Support to access firmware
updates for your model. For more information, go to https://support.fortinet.com or
contact Fortinet Customer Service & Support.

Mode The current operating mode of the FortiProxy unit. A unit can operate in NAT
mode or transparent mode.

System Time The current date and time according to the FortiProxy unit’s internal clock.

Uptime The time in days, hours, and minutes since the FortiProxy unit was started.

WAN IP The WAN IP address and location. Additionally, if the WAN IP is blocked in the
FortiGuard server, there is a notification in the notification area, located in the
upper right-hand corner of the Dashboard. Clicking on the notification opens a
window with the relevant blocklist information.

FortiProxy 7.0 Administration Guide 32

Fortinet Inc.
Dashboard

Licenses widget

The Licenses widget displays the statuses of your licenses and FortiGuard subscriptions. It also allows you to update
your device’s registration status and FortiGuard definitions.
Hovering over the Licenses widget displays status information for Subscription License, Content Analysis, FortiCare
Support, IPS, AntiVirus, and Web Filtering. Clicking on each license provides links to renew, register, subscribe, or add
your FortiCare contract number.
Go to System > FortiGuard to register for FortiCare Support, upgrade databases, and view details. See FortiGuard on
page 440.

FortiProxy 7.0 Administration Guide 33

Fortinet Inc.
Dashboard

Virtual Machine widget

This widget displays license information, number of allocated vCPUs, and how much RAM has been allocated.

FortiProxy Cloud widget

This widget displays the FortiProxy Cloud status and provides a link to activate FortiProxy Cloud.

FortiProxy 7.0 Administration Guide 34

Fortinet Inc.
Dashboard

Security Fabric widget

You can hover over the icons along the top of the Security Fabric widget to get a quick view of the status of various
components of in the Security Fabric. Hover over the host name to display system information.
Click on an icon for a link to configure the settings for that component.

Administrators widget

FortiProxy 7.0 Administration Guide 35

Fortinet Inc.
Dashboard

This widget allows you to view which administrators are logged in and how many sessions are active. Clicking on the
widget provides you a link to a page displaying active administrator sessions.

CPU widget

The real-time CPU usage is displayed for different time frames. Select the time frame from the drop-down list at the top
of the widget. Hovering over any point on the graph displays the average CPU usage along with a time stamp.

Memory widget

Real-time memory usage is displayed for different time frames. Select the time frame from the drop-down list at the top of
the widget. Hovering over any point on the graph displays the percentage of memory used along with a time stamp.

FortiProxy 7.0 Administration Guide 36

Fortinet Inc.
Dashboard

Sessions widget

This widget allows you to view how many proxy sessions are active. Select the time frame from the drop-down list at the
top of the widget. Select whether to display IPv4, IPv6, or IPv4 + IPv6 sessions. Hovering over any point on the graph
displays the number of proxy sessions with a time stamp.

SSL-VPN widget

Starting in FortiProxy 7.0.0, the SSL-VPN widget now includes Duration and Connection Summary charts. The widget
also identifies users who have not enabled two-factor authentication.

To view the SSL-VPN widget:

1. Go to Dashboard and click Add Widget.

2. Under Network, click SSL-VPN.
3. Click Default or specify the FortiProxy unit.
4. Click Add Widget.
5. Click Close.
6. The SSL-VPN overview widget is displayed.
A warning appears when at least one VPN user has not enabled two-factor authentication.
7. Hover over the widget and click Expand to full screen. The Duration and Connection Summary charts are displayed
at the top of the monitor.
A warning appears in the Username column when a user has not enabled two-factor authentication.
8. Right-click a user to End Session, Locate on VPN Map, Show Matching Logs, and Show in FortiView.

FortiProxy 7.0 Administration Guide 37

Fortinet Inc.
 Dashboard

IPSec widget

Starting in FortiProxy 7.0.0, the IPsec widget displays information about Phase 1 and Phase 2 tunnels. The widget also
identifies users who have not enabled two-factor authentication.

To view the IPSec widget:

1. Go to Dashboard and click Add Widget.

2. Under Network, click IPsec.
3. Click Default or specify the FortiProxy unit.
4. Click Add Widget.
5. Click Close.
6. The IPsec overview widget is displayed.
7. Hover over the widget and click Expand to full screen. A warning appears when an unauthenticated user is
detected.

Forward Server Monitor widget - 7.0.9

This widget allows you to monitor the forward server status, connections, and hits. Hover over the graph or server name
in the widget to get a quick view of the server status.

FortiProxy 7.0 Administration Guide 38

Fortinet Inc.
Dashboard

User dropdown menu

In the right corner of the FortiProxy title bar, the user dropdown menu provides the following actions:
l Reboot the system.
l Shut down the system.
l Upload anew version of the FortiProxy firmware or restore an older firmware version.
l Back up your FortiProxy configuration.
l Restore a saved FortiProxy configuration.
l Check the available versions of your saved FortiProxy configurations.
l Upload or run a script.
l Change your password.
l Log out.

GUI-based global search

The global search option in the GUI allows users to search for keywords appearing in objects and navigation menus to
quickly access the object and configuration page. Click the magnifying glass icon in the top-left corner of the banner to
access the global search.

The global search includes the following features:

l Keep a history of frequent and recent searches
l Sort results alphabetically by increasing or decreasing order, and relevance by search weight
l Search by category
l Search in Security Fabric members (accessed by the Security Fabric members dropdown menu in the banner)

FortiProxy 7.0 Administration Guide 39

Fortinet Inc.
FortiView

FortiView is a comprehensive monitoring system for your network that integrates real-time and historical data into a
single view on your FortiProxy unit. It can log and monitor threats to networks, filter data on multiple levels, keep track of
administrative activity, and more.
FortiView allows you to use multiple filters within the consoles, enabling you to narrow your view to a specific time (up to
24 hours in the past), by user ID or local IP address, by application, and in many more ways.
FortiView can be used to investigate traffic activity, such as user uploads/downloads or videos watched on YouTube, on
a network-wide, user group, and individual-user level, with information relayed in both text and visual format. FortiView
makes it easy to get an actionable picture of your networkʼs Internet activity.
This section covers the following topics:
l FortiView dependencies on page 40
l FortiView interface on page 42
l FortiView consoles on page 43

FortiView dependencies

By default, FortiView is enabled on FortiProxy units. You will find the FortiView consoles in the main menu.
Most FortiView consoles require the user to enable several features to produce data. The following table summarizes the
dependencies:

FortiView Console Dependencies

FortiView Applications l Application control profile added to a policy

l Logging device set up and enabled
l Historical FortiView enabled
l Traffic logging enabled in a policy

FortiView Cloud Applications l Logging device set up and enabled

l Historical FortiView enabled
l Traffic logging enabled in a policy
l Full SSL inspection enabled for all protocols in an SSL/SSH Inspection
profile
l Application Control profile and Full SSL Inspection profile added to the same
policy

FortiView Countries/Regions l Logging device set up and enabled

l Historical FortiView enabled
l Traffic logging enabled in a policy

FortiView Destination Firewall l Logging device set up and enabled

Objects l Historical FortiView enabled
l Traffic logging enabled in a policy

FortiProxy 7.0 Administration Guide 40

Fortinet Inc.
 FortiView Console Dependencies

FortiView Destination Interfaces l Logging device set up and enabled

l Historical FortiView enabled
l Traffic logging enabled in a policy

FortiView Destination Owners l Logging device set up and enabled

l Historical FortiView enabled
l Traffic logging enabled in a policy

FortiView Destinations l Logging device set up and enabled

l Historical FortiView enabled
l Traffic logging enabled in a policy

FortiView Interface Pairs l Logging device set up and enabled

l Historical FortiView enabled
l Traffic logging enabled in a policy

FortiView Policies l Logging device set up and enabled

l Historical FortiView enabled
l Traffic logging enabled in a policy

FortiView Search Phrases l FortiGuard categories enabled in a Web Filter profile

l Logging device set up and enabled
l Historical FortiView enabled
l Traffic logging enabled in a policy
l Log all search keywords enabled in a Web Filter profile
l Profile-based NGFW mode

FortiView Servers l Logging device set up and enabled

l Historical FortiView enabled
l Traffic logging enabled in a policy

FortiView Sessions l Disk logging enabled

l Traffic logging enabled in a policy

FortiView Source Firewall l Logging device set up and enabled

Objects l Historical FortiView enabled
l Traffic logging enabled in a policy

FortiView Source Interfaces l Logging device set up and enabled

l Historical FortiView enabled
l Traffic logging enabled in a policy

FortiView Sources l Logging device set up and enabled

l Historical FortiView enabled
l Traffic logging enabled in a policy

FortiView Sources - WAN l Logging device set up and enabled

l Historical FortiView enabled
l Traffic logging enabled in a policy

FortiView Traffic Shaping l Enable traffic-shaping feature

FortiProxy 7.0 Administration Guide 41

Fortinet Inc.
 FortiView Console Dependencies
l Disk logging enabled
l Historical FortiView enabled

FortiView Web Categories l FortiGuard categories enabled in a Web Filter profile

l Web Filter profile added to a policy
l Traffic logging enabled in a policy
l Logging device set up and enabled
l Historical FortiView enabled

FortiView Web Sites l FortiGuard categories enabled in a Web Filter profile

l Web Filter profile added to a policy
l Traffic logging enabled in a policy
l Logging device set up and enabled
l Historical FortiView enabled

FortiView VPN l Logging device set up and enabled

l Historical FortiView enabled
l Traffic logging enabled in a policy

To enable disk logging and historical FortiView:

1. Go to Log & Report > Log Settings.

2. Under Local Log, enable Disk and Enable Historical FortiView.
3. Click Apply.

FortiView interface

FortiView lets you access information about the traffic activity on your FortiProxy unit, visually and textually. FortiView is
broken up into several consoles, each of which features a top menu bar and a graph window, as seen in the following
image:

Depending on the FortiView console, the top menu bar contains various controls:

FortiProxy 7.0 Administration Guide 42

Fortinet Inc.
 l Refresh button, which updates the data displayed
l Add Filter button, for filtering the data by category
l Filter buttons to select what data to view
l View drop-down menu to select Table View or Bubble Chart
l Time Display drop-down menu (options: 5 minutes, 1 hour, or 24 hours; if you are using FortiAnalyzer, you can
select longer time periods)
l Dashboard widget drop-down menu
l Settings button
l Information icon

FortiView consoles

This section briefly describes the consoles available in FortiView:

l FortiView Applications console on page 44 displays applications used on the network that have been recognized by
Application Control and allows you to view what sort of applications individual employees are using.
l FortiView Cloud Applications console on page 44 displays Web/Cloud Applications used on the network and allows
you to access detailed data on cloud application usage, for example, YouTube.
l FortiView Countries/Regions console on page 44 provides a geographical display of threats, in real time, from
international sources as they arrive at your FortiProxy unit.
l FortiView Destination Firewall Objects console on page 45 displays the top traffic sessions aggregated by
destination object.
l FortiView Destination Interfaces console on page 45 displays the number of destination interfaces connected to
your network, how many sessions there are in each interface, and what sort of traffic is occurring.
l FortiView Destination Owners console on page 45 displays the top traffic sessions aggregated by owner.
l FortiView Destinations console on page 45 displays the top traffic sessions aggregated by destination.
l FortiView Interface Pairs console on page 45 displays the top traffic sessions aggregated by interface pair.
l FortiView Policies console on page 45 displays what policies are in affect on your network, what their source and
destination interfaces are, how many sessions are in each policy, and what sort of traffic is occurring.
l FortiView Search Phrases console on page 46 displays the top traffic sessions aggregated by website search
phrase.
l FortiView Servers console on page 46 displays the top servers aggregated by server address.
l FortiView Sessions console on page 46 displays complete information on all FortiProxy sessions, with the ability to
filter sessions by port number and application type.
l FortiView Source Firewall Objects console on page 47 displays the top traffic sessions aggregated by source
object.
l FortiView Source Interfaces console on page 47 displays the number of source interfaces connected to your
network, how many sessions there are in each interface, and what sort of traffic is occurring.
l FortiView Sources console on page 47 displays detailed information on the sources of traffic passing through the
FortiProxy unit so that you can investigate an unusual spike in traffic to determine which user is responsible.
l FortiView Sources - WAN console on page 47 displays the top traffic sessions for interfaces with a role of WAN,
aggregated by source.
l FortiView Traffic Shaping console on page 48 displays the top traffic sessions aggregated by traffic shaper.
l FortiView VPN console on page 48 displays the top traffic sessions aggregated by VPN user.
l FortiView Web Categories console on page 48 displays the top traffic sessions aggregated by website category.

FortiProxy 7.0 Administration Guide 43

Fortinet Inc.
 l FortiView Web Sites console on page 48 displays web sites visited as part of network traffic that have been
recognized by Web Filtering so that you can investigate instances of proxy avoidance, which is the act of
circumventing blocks using proxies.

FortiView Applications console

The FortiView Applications console provides information about the applications being used on your network.
This console can be sorted by sessions or bytes. The data can be filtered by 5 minutes, 1 hour, or 24 hours. You can
select which applications are displayed.

For information to appear in the FortiView Applications console, Application Control must be
enabled in a policy.

FortiView Cloud Applications console

The FortiView Cloud Applications console provides information about the cloud applications being used on your network.
This includes information such as:
l The names of videos viewed on YouTube (visible by hovering the cursor over the session entry)
l Filed uploaded and downloaded from cloud hosting services such as Dropbox
l Account names used for cloud services
Two different views are available for the Cloud Applications: Applications and Users (located in the top menu bar next to
the time periods). Applications shows a list of the programs being used. Users shows information on the individual users
of the cloud applications, including the username, if the FortiProxy unit was able to view the login event.
You can sort the data by bytes, sessions, or files (up or down). The data can be filtered by 5 minutes, 1 hour, or 24 hours.
You can select which cloud applications are displayed.

For information to appear in the Cloud Applications console, an application control profile (that
has Deep Inspection of Cloud Applications enabled) must be enabled in a policy, and SSL
Inspection must use deep-inspection.

FortiView Countries/Regions console

The FortiView Countries/Regions console displays network activity by geographic region. Threats from various
international destinations will be shown, but only those arriving at your destination, as depicted by the FortiProxy unit.
You can place your cursor over the FortiProxyʼs location to display the device name, IP address, and the city
name/location.
The color gradient of the darts on the map indicate the traffic risk, where red indicates the more critical risk.
This console can be sorted by bytes, sessions, or threat scores. The data can be filtered by 5 minutes, 1 hour, or 24
hours.

FortiProxy 7.0 Administration Guide 44

Fortinet Inc.
 FortiView Destination Firewall Objects console

The FortiView Destination Firewall Objects console displays the top destination firewall objects. You can drill down by
destination object.
This console leverages UUIDs to resolve firewall object address names for improved usability, which requires address
objectsʼ UUIDs to be logged.

To enable address object UUID logging in the CLI:

config system global

set log-uuid-address enable
end

This console can be sorted by sessions or bytes. The data can be filtered by 5 minutes, 1 hour, or 24 hours.

FortiView Destination Interfaces console

The FortiView Destination Interfaces console lists the total number of destination interfaces connected to your network,
how many sessions there are in each interface, and the number of bytes sent.
This console can be sorted by bytes or sessions. The data can be filtered by 5 minutes, 1 hour, or 24 hours.

FortiView Destination Owners console

The FortiView Destination Owners console displays the top destination owners. This console can be sorted by bytes or
sessions. The data can be filtered by 5 minutes, 1 hour, or 24 hours.

FortiView Destinations console

The FortiView Destinations console provides information about the destination IP addresses of traffic on your FortiProxy
unit, as well as the application used. You can select the country/region, destination device, or destination IP address to
display.
This console can be sorted by bytes or sessions. The data can be filtered by 5 minutes, 1 hour, or 24 hours.

FortiView Interface Pairs console

The FortiView Interface Pairs console displays the top traffic sessions aggregated by the interface pair. You can select
the destination interface or the source interface to display.
This console can be sorted by bytes or sessions. The data can be filtered by 5 minutes, 1 hour, or 24 hours.

FortiView Policies console

The FortiView Policies console shows what policies are in affect on your network, what their source and destination
interfaces are, how many sessions are in each policy, and what sort of traffic is occurring, represented in bytes sent and
received. You can select which policies to display.

FortiProxy 7.0 Administration Guide 45

Fortinet Inc.
 This console can be sorted by bytes or sessions. The data can be filtered by 5 minutes, 1 hour, or 24 hours.

FortiView Search Phrases console

The FortiView Search Phrases console displays the top search phrases, sorted by count. You can drill down by search
phrase.
The data can be filtered by 5 minutes, 1 hour, or 24 hours.

FortiView Servers console

The FortiView Servers console displays the top servers. You can drill down by the server address. You can select the
country/region, destination device, or destination IP address to display.
This console can be sorted by bytes or sessions. The data can be filtered by 5 minutes, 1 hour, or 24 hours.

FortiView Sessions console

The FortiView Sessions console displays the top sessions by traffic source and can be used to end sessions.
This console has the greatest number of column options to choose from. To choose which columns you want to view,
select the column settings cog at the far right of the columns and select your desired columns. They can then be clicked
and dragged in the order that you wish them to appear.
Some of the columns available in FortiView are only available in All Sessions. For example, the Action column displays
the type of response taken to a security event. This function can be used to review what sort of threats were detected,
whether the connection was reset due to the detection of a possible threat, and so on. This would be useful to display
alongside other columns such as the Source, Destination, and Bytes (Sent/Received) columns, as patterns or
inconsistencies can be analyzed.
Similarly, there are a number of filters that are only available in All Sessions, one of which is Protocol. This allows you to
display the protocol type associated with the selected session, for example, TCP, FTP, HTTP, HTTPS, and so on.
The FortiView Sessions console is useful when verifying open connections. For example, if you have a web browser
open to browse the Fortinet website, you would expect a session entry from your computer on port 80 to the IP address
for the Fortinet website. You can also use a session table to investigate why there are too many sessions for the
FortiProxy unit to process.

FortiProxy 7.0 Administration Guide 46

Fortinet Inc.
 You can also view the session data in the CLI.

To view session data using the CLI:

# diagnose sys session list

The session table output in the CLI is very large. You can use the supported filters in the CLI to show only the data you
need.

To view session data with filters using the CLI:

# diagnose sys session filter {sintf | dintf | src | nsrc | dst | proto | sport | nport |
dport | policy | clear}

FortiView Source Firewall Objects console

The FortiView Source Firewall Objects console displays the top source firewall objects. You can drill down by source
object.
This console leverages UUIDs to resolve firewall object address names for improved usability, which requires address
objectsʼ UUIDs to be logged.

To enable address object UUID logging in the CLI:

config system global

set log-uuid-address enable
end

This console can be sorted by sessions or bytes. The data can be filtered by 5 minutes, 1 hour, or 24 hours.

FortiView Source Interfaces console

The FortiView Source Interfaces console lists the total number of source interfaces connected to your network, how
many sessions there are in each interface, and the number of bytes sent.
This console can be sorted by bytes or sessions. The data can be filtered by 5 minutes, 1 hour, or 24 hours.

FortiView Sources console

The FortiView Sources console provides information about the sources of traffic on your FortiProxy unit.
You can select which source devices and source IP addresses are displayed. This console can be sorted by bytes,
sessions, or threat scores. The data can be filtered by 5 minutes, 1 hour, or 24 hours.

FortiView Sources - WAN console

The FortiView Sources - WAN console displays the top traffic sessions for interfaces with a role of WAN, aggregated by
source.
You can select which source devices and source IP addresses are displayed. This console can be sorted by bytes,
sessions, or threat scores. The data can be filtered by 5 minutes, 1 hour, or 24 hours.

FortiProxy 7.0 Administration Guide 47

Fortinet Inc.
 FortiView Traffic Shaping console

The FortiView Traffic Shaping console displays the top traffic sessions aggregated by traffic shaper.
You can select which source devices and source IP addresses are displayed. This console can be sorted by dropped
bytes, bytes, sessions, bandwidth, or packets.

For information to appear in the Traffic Shaping console, at least one traffic shaper and at least
one traffic-shaping policy must be configured.

FortiView VPN console

The FortiView VPN console displays the top traffic sessions aggregated by VPN user.
You can select which user names and VPN types are displayed. This console can be sorted by connections or bytes.
The data can be filtered by 5 minutes, 1 hour, or 24 hours.

FortiView Web Categories console

The FortiView Web Categories console displays the top web categories. You can drill down by category.
You can select which domains and web categories are displayed. This console can be sorted by browsing time, threat
score, bytes, or sessions. The data can be filtered by 5 minutes, 1 hour, or 24 hours.

For information to appear in the FortiView Web Categories console, web filtering must be
enabled in a policy, with FortiGuard categories enabled.

FortiView Web Sites console

The FortiView Web Sites console lists the top allowed and top blocked web sites. You can view information by domain or
by FortiGuard categories by using the options in the top right corner. Each FortiGuard category can be selected to see a
description of the category and several example sites, with content loaded from FortiGuard on demand.
You can select which domains and web categories are displayed. This console can be sorted by browsing time, threat
score, bytes, or sessions. The data can be filtered by 5 minutes, 1 hour, or 24 hours.

For information to appear in the FortiView Web Sites console, web filtering must be enabled in
a policy, with FortiGuard categories enabled.

FortiProxy 7.0 Administration Guide 48

Fortinet Inc.
Using the process monitor

The Process Monitor displays running processes with their CPU and memory usage levels. Administrators can sort,
filter, and terminate processes within the Process Monitor pane.

To access the process monitor:

1. Go to Dashboard > Status:
l Left-click in the CPU or Memory widget and select Process Monitor.

l Click the user name in the upper right-hand corner of the screen, then go to System > Process Monitor.
The Process Monitor appears, which includes a line graph, donut chart, and process list.
2. Click the + beside the search bar to view which columns can be filtered.

To kill a process within the process monitor:

1. Select a process.
2. Click the Kill Process dropdown.
3. Select one of the following options:
l Kill: the standard kill option that produces one line in the crash log (diagnose debug crashlog read).

l Force Kill: the equivalent to diagnose sys kill 9 <pid>. This can be viewed in the crash log.

l Kill & Trace: the equivalent to diagnose sys kill 11 <pid>. This generates a longer crash log and

backtrace. A crash log is displayed afterwards.

FortiProxy 7.0 Administration Guide 49

Fortinet Inc.
Proxy Settings

For more information about web proxy and explicit web proxy, see Deployments on page 14.
This section covers the following topics:
l Explicit Proxy on page 50
l Web Proxy Setting on page 54
l Web Proxy Profile on page 57
l Forwarding Server on page 62
l Server URL on page 66
l FTP Proxy on page 69
l Isolator Server on page 71
l Proxy Options on page 73
l SSL Keyring on page 81

Explicit Proxy

Use the explicit web proxy configuration to enable the explicit HTTP proxy on one or more Fortinet interfaces. IPv6 is
supported.

IP pools support the explicit web proxy, allowing such traffic to be sourced from a range of IP
addresses.

To configure the explicit web proxy configuration, go to Proxy Settings > Explicit Proxy.

Hover over the leftmost edge of the column heading to display the Configure Table icon, which you can use to select the
columns to display or to reset all the columns to their default settings. You can also drag column headings to change
their order.
The following options are available:

Create New Create an explicit web proxy configuration. See Create or edit an explicit web
proxy on page 51.

Edit Modify settings to an explicit web proxy configuration. See Create or edit an
explicit web proxy on page 51.

Clone Copies an existing explicit web proxy configuration.

FortiProxy 7.0 Administration Guide 50

Fortinet Inc.
 Proxy Settings

Delete Remove a proxy from the list.

Search Enter a search term to find in the list.

Name The name of the explicit web proxy configuration.

Status The status of the explicit web proxy configuration.

Interface The interface to which the proxy applies.

Ref. Displays the number of times the object is referenced to other objects.
To view the location of the referenced object, select the number in Ref.; the Object
Usage window opens and displays the various locations of the referenced object.

Create or edit an explicit web proxy

Select Create New to open the Create Explicit Proxy window.

FortiProxy 7.0 Administration Guide 51

Fortinet Inc.
Proxy Settings

Select an explicit web proxy configuration and then click Edit to open the Edit Explicit Proxy window.

FortiProxy 7.0 Administration Guide 52

Fortinet Inc.
Proxy Settings

Configure the following settings in the Explicit Proxy window and then click OK:

Name Enter the name of the explicit web proxy configuration.

Interfaces Select the interface or interfaces that are being monitored by the explicit web
proxy from the drop-down list.

Status This explicit web proxy configuration is enabled by default. Toggle to disable this
explicit web proxy configuration.

HTTP Incoming IP This field restricts the explicit HTTP proxy to accept sessions only from the
specified IP address.

HTTP Incoming Port Enter the port number that HTTP traffic from client web browsers use to connect
to the explicit proxy for the specific protocol.
Explicit proxy users must configure their web browser’s protocols proxy settings to
use this port. The default port is 8080. You can enter a maximum of eight ports.
Separate multiple ports with a comma. The range of values is 1-65535.

HTTPS Incoming Port Select Use HTTP Port or select Specify and then enter the port number that
HTTPS traffic from client web browsers use to connect to the explicit proxy for the
specific protocol.
Explicit proxy users must configure their web browser’s protocols proxy settings to
use this port. You can enter a maximum of eight ports. Separate multiple ports
with a comma. The range of values is 1-65535.

FTP Over HTTP Select this checkbox to enable FTP over HTTP for the explicit web proxy. Then
select Use HTTP Port or select Specify and enter the port number.

SOCKS Proxy Select this checkbox to enable the SOCKS proxy. Then select Use HTTP Port or
select Specify and enter the port number.

Prefer DNS Result Select whether the DNS result uses an IPv4 or IPv6 address.

Unknown HTTP Version You can select the action to take when the proxy server must handle an unknown
HTTP version request or message. Set the unknown HTTP version to Best Effort,
Reject, or Tunnel.
l Best Effort attempts to handle the HTTP traffic as best as it can.

l Reject treats known HTTP traffic as malformed and drops it.

SEC Default Action Accept or deny explicit web proxy sessions when no web proxy firewall policy
exists.

SSL Algorithm Select the strength of the encryption algorithms accepted in HTTPS deep scan.

Authentication Realm Enter an authentication realm to identify the explicit web proxy.
The realm can be any text string of up to 63 characters. If the realm includes
spaces, you need to enclose it in quotes. When a user authenticates with the
explicit web proxy, the HTTP authentication dialog box includes the realm so that
you can use the realm to identify the explicitly web proxy for your users.

IPv6 Status Toggle this setting if you want to use IPv6 addresses.

Return to Sender Toggle this setting if you want return rejected explicit web proxy sessions to the
sender.

FortiProxy 7.0 Administration Guide 53

Fortinet Inc.
Proxy Settings

PAC Status Toggle this setting to use a proxy auto-config (PAC) file to define how web
browsers can choose a proxy server for receiving HTTP content. PAC files
include the FindProxyForURL(url, host) JavaScript function that returns a string
with one or more access method specifications. These specifications cause the
web browser to use a particular proxy server or to connect directly.

PAC Port Select Use HTTP Port or select Specify and then enter the port number that traffic
from client web browsers use to connect to the explicit proxy for the specific
protocol. Explicit proxy users must configure their web browser’s protocols proxy
settings to use this port.

PAC File Content Select Edit to make changes to a PAC file that was previously uploaded or select
Download and then select Save to save a copy of the PAC file.

API Preview The API Preview allows you to view all REST API requests being used by the
page. You can make changes on the page that are reflected in the API request
preview. This feature is not available if the user is logged in as an administrator
that has read-only GUI permissions.

The FTP over HTTP proxy engine supports PORT mode, FTP over HTTP CONNECT, and
uploads through PUT (UTM scanning).

To use the API Preview:

1. Click API Preview. The API Preview pane opens, and the values for the fields are visible (data). If a new object is
being created, the POST request is shown.
2. Enable Show modified changes only to show the modified changes instead of the full configuration in the preview.
3. Click Copy to Clipboard to copy the JSON code shown on the preview screen to the clipboard.
4. Click Close to leave the preview.

Web Proxy Setting

Use the web proxy setting to change the global configuration of explicit web proxies.
Go to Proxy Settings > Web Proxy Setting to change the global explicit web proxy settings.

FortiProxy 7.0 Administration Guide 54

Fortinet Inc.
Proxy Settings

Configure the following settings and then click Apply:

Proxy FQDN The FQDN for the global proxy server. This is the domain name to enter into
browsers to access the proxy server.

Max HTTP request length The maximum length of an HTTP request that can be cached, in KB. Larger
requests are rejected. The default is 8 KB.

Max HTTP message length The maximum length of an HTTP message that can be cached, in KB. Larger
messages are rejected. The default is 32 KB.

Realm You can enter an authentication realm to identify the explicit web proxy. The realm
can be any text string of up to 63 characters. If the realm includes spaces, enclose
it in quotes. When a user authenticates with the explicit web proxy, the HTTP
authentication dialog box includes the realm, so you can use the realm to identify
the explicitly web proxy for your users.

Explicit Outgoing IP Enter the IP address to use as the source address for outgoing HTTP requests by
explicit web proxy. Select + to enter another IP address.

FortiProxy 7.0 Administration Guide 55

Fortinet Inc.
Proxy Settings

Webproxy Profile Enter the name of the web proxy profile that will be applied when explicit proxy
traffic is allowed by default and traffic is accepted that does not match an explicit
proxy policy.

Default CA Certificate Select which certificate to use as a default. The default certificate is Fortinet_CA_
SSL.

Forward Server Affinity Enter the number of minute before the traffic from the source IP address is no
Timeout longer assigned to the forwarding server. The default is 30 minutes. The range is
6-60 minutes.

Fast Policy Match The fast policy match function improves the performance of IPv4 explicit and
transparent web proxies on FortiProxy units. When enabled, after the proxy
policies are configured, the FortiProxy unit builds a fast searching table based on
the different proxy policy matching criteria. When fast policy matching is disabled,
web proxy traffic is compared to the policies one at a time from the beginning of
the policy list.

LDAP User Cache Enable or disable the LDAP user cache.

Strict Web Check Enable or disable (by default) the blocking of web sites that send incorrect
headers that don't conform to HTTP 1.1 (see RFC 2616 for more information).
Enabling this option may block some commonly used websites.

Forward Proxy Auth Enable or disable (by default) the forwarding of proxy authentication headers.
Note that this option is only practical when in explicit mode, because proxy
authentication headers are always forwarded when in transparent mode. By
default, in explicit mode, proxy authentication headers are blocked by the explicit
web proxy. Therefore, enable this entry if you need to allow proxy authentication
through the explicit web proxy.

Strict Guest Enable or disable whether the explicit web proxy uses strict guest user checking.

HTTPS Replacement Message Enable or disable whether a replacement message is displayed for HTTPS
requests.

Message Upon Server Error Enable or disable whether a replacement message is displayed when a server
error is detected.

Trace Auth No Resp Enable or disable whether timed-out authentication requests are logged.

API Preview The API Preview allows you to view all REST API requests being used by the
page. You can make changes on the page that are reflected in the API request
preview. This feature is not available if the user is logged in as an administrator
that has read-only GUI permissions.

To use the API Preview:

1. Click API Preview. The API Preview pane opens, and the values for the fields are visible (data). If a new object is
being created, the POST request is shown.
2. Enable Show modified changes only to show the modified changes instead of the full configuration in the preview.
3. Click Copy to Clipboard to copy the JSON code shown on the preview screen to the clipboard.
4. Click Close to leave the preview.

FortiProxy 7.0 Administration Guide 56

Fortinet Inc.
 Proxy Settings

Web Proxy Profile

You can create web proxy profiles that can add, remove, and change HTTP headers. The web proxy profile can be
added to the web proxy global configuration.
Go to Proxy Settings > Web Proxy Profile to change the web proxy profiles.

Hover over the leftmost edge of the column heading to display the Configure Table icon, which you can use to select the
columns to display or to reset all the columns to their default settings. You can also drag column headings to change
their order.
The following options are available:

Create New Create a web proxy profile. See Create or edit a web proxy profile on page 57.

Edit Edit the selected web proxy profile. See Create or edit a web proxy profile on page
57.

Delete Remove the selected web proxy profile.

Search Enter a search term to find in the list.

Name The name of the web proxy profile.

Strip Encoding Whether the profile strips out unsupported encoding from request headers and
correctly block banned words.

Log Header Change Whether the profile allows changes to the log header.

Pass Which HTTP headers will be forwarded in forwarded requests.

Add Which HTTP headers will be added in forwarded requests.

Remove Which HTTP headers will be removed from forwarded requests.

Ref. Displays the number of times the object is referenced to other objects.
To view the location of the referenced object, select the number in Ref., and the
Object Usage window appears displaying the various locations of the referenced
object.

Create or edit a web proxy profile

Select Create New to open the New Web Proxy Profile window.

FortiProxy 7.0 Administration Guide 57

Fortinet Inc.
Proxy Settings

To open the Edit Web Proxy Profile window, select a web proxy profile and then click Edit.

FortiProxy 7.0 Administration Guide 58

Fortinet Inc.
Proxy Settings

Configure the following settings in the New Web Proxy Profile window or Edit Web Proxy Profile window and then click
OK:

Name Enter the name of the new web proxy profile.

Strip Encoding Toggle whether to strip out unsupported encoding from request headers and
correctly block banned words. This option can resolve issues when attempting to
successfully block content using Google Chrome.

Log Header Change Toggle whether to allow changes to the log header.

Header Client IP Select whether to Pass, Add, or Remove this HTTP header.

Header via Request Select whether to Pass, Add, or Remove this HTTP header.

Header via Response Select whether to Pass, Add, or Remove this HTTP header.

Header x Forwarded for Select whether to Pass, Add, or Remove this HTTP header.

Header x Forwarded Client Select whether to Pass, Add, or Remove this HTTP header.
Cert

Header Front End HTTPS Select whether to Pass, Add, or Remove this HTTP header.

Header x Authenticated User Select whether to Pass, Add, or Remove this HTTP header.

Header x Authenticated Select whether to Pass, Add, or Remove this HTTP header.
Groups

Create New Select to add a new header. See Create or edit an HTTP header on page 60.

Edit Select to change an existing header. See Create or edit an HTTP header on page
60.

Delete Select to remove an existing header.

Search Enter a search term to find in the list.

Name The name for the HTTP forwarded header.

Base64 Encoding Whether base64 encoding is enabled or disabled.

Protocol Whether the new header uses HTTP, HTTPS, or both.

Destination Address The destination addresses and destination address groups for the HTTP
forwarded header.

Action The action for the HTTP forwarded header: add-to-request, add-to-response,
remove-from-request, or remove-from-response.

Add Option How the new header is added: append, new-on-not-found, or new.

Header Content The content of the HTTP header.

API Preview The API Preview allows you to view all REST API requests being used by the
page. You can make changes on the page that are reflected in the API request
preview. This feature is not available if the user is logged in as an administrator
that has read-only GUI permissions.

FortiProxy 7.0 Administration Guide 59

Fortinet Inc.
 Proxy Settings

To use the API Preview:

1. Click API Preview. The API Preview pane opens, and the values for the fields are visible (data). If a new object is
being created, the POST request is shown for the CMDB API that creates the explicit proxy configuration.
2. Enable Show modified changes only to show the modified changes instead of the full configuration in the preview.
3. Click Copy to Clipboard to copy the JSON code shown on the preview screen to the clipboard.
4. Click Close to leave the preview.

Create or edit an HTTP header

You can change the following HTTP headers:

l Header Client IP
l Header via Request
l Header via Response
l Header x Forwarded For
l header-x-forwarded-client-cert
l Header Front End HTTPS
l Header x Authenticated User
l Header x Authenticated Groups
For each of these headers, you can set the action to the following:
l Forward (pass) the same HTTP header
l Add the HTTP header
l Remove the HTTP header
The web proxy can add or remove custom headers from requests or responses. If you are adding a header, you can
specify the content to be included in the added header.
Select Create New to open the Create Header window.

FortiProxy 7.0 Administration Guide 60

Fortinet Inc.
Proxy Settings

To open the Edit Header window, select a header and then click Edit.
Configure the following settings in the Create Header window or Edit Header window and then click OK:

Name Enter a name for the HTTP forwarded header.

Action Select the action for the HTTP forwarded header: add-to-request, add-to-
response, remove-from-request, or remove-from-response.

Header Content Enter the content of the HTTP header.

Base64 Encoding Enable or disable base64 encoding.

Add Option Select how the new header is added: append, new-on-not-found, or new.

Protocol Select whether the new header uses HTTP, HTTPS, or both.

Destination Address Select + to add destination addresses and destination address groups.

To create a web proxy profile and header from the CLI:

config web-proxy profile

edit <name>
set header-client-ip {add | pass | remove}
set header-via-request {add | pass | remove}
set header-via-response {add | pass | remove}
set header-x-forwarded-for {add | pass | remove}
set header-front-end-https {add | pass | remove}
set header-x-authenticated-user {add | pass | remove}
set header-x-authenticated-groups {add | pass | remove}
set strip-encoding {enable | disable}
set log-header-change {enable | disable}
config headers
edit <id>

FortiProxy 7.0 Administration Guide 61

Fortinet Inc.
Proxy Settings

set action {add-to-request | add-to-response | remove-from-request | remove-from-

response}
set content <string>
set name <name>
end
end
next
end

Forwarding Server

By default, the FortiProxy unit monitors a web proxy forwarding server by forwarding a connection to the remote server
every 10 seconds. If the remote server does not respond, it is assumed to be down. Checking continues until, when the
server does send a response, the server is assumed to be back up. If health checking is enabled, the FortiProxy unit
attempts to get a response from a web server by connecting through the remote forwarding server every 10 seconds.
You can enable health checking for each remote server and specify a different web site to check for each one.
If the remote server is down, you can configure the FortiProxy unit to either block sessions until the server comes back
up or allow sessions to connect to their destination using the original server. You cannot configure the FortiProxy unit to
fail over to another remote forwarding server.
To configure the server-down action and enable health monitoring, go to Proxy Settings > Forwarding Server.

Hover over the leftmost edge of the column heading to display the Configure Table icon, which you can use to select the
columns to display or to reset all the columns to their default settings. You can also drag column headings to change
their order.
The following options are available:

Create New Create a forwarding server. See Create or edit a forwarding server on page 63.

Edit Edit a forwarding server. See Create or edit a forwarding server on page 63.

Delete Remove a forwarding server from the list.

Search Enter a search term to find in the list.

Server Name The name of the forwarding server.

Address The IP address of the forwarding server.

Port The port number of the forwarding server.

Health Check Indicates whether the health check is disabled or enabled for that forwarding
server.

Server Down The action that the FortiProxy unit takes when the server is down.

Comments Optional description of the forwarding server.

FortiProxy 7.0 Administration Guide 62

Fortinet Inc.
 Proxy Settings

Create or edit a forwarding server

Select Create New to open the New Forwarding Server window.

To open the Edit Forwarding Server window, select a forwarding server and then click Edit.
Configure the following settings in the New Forwarding Server window or Edit Forwarding Server window and then click
OK:

Name Enter the name of the forwarding server.

Proxy Address Type Select the type of IP address of the forwarding server, either IP or FQDN.

Proxy Address Enter the IP address or the fully qualified domain name of the forwarding server.

Port Enter the port number of the forwarding server.

Server Down Action Select what action the FortiProxy unit will take if the forwarding server is down,
either Block or Use Original Server.

Health Monitor Enable or disable health check monitoring.

Health Check Monitor Site If you enabled Health Monitor, enter the URL address of the health check
monitoring site.

Masquerade Enable or disable whether the web proxy uses the device address to connect to
the proxy server.

Comments Enter an optional description of the forwarding server.

API Preview The API Preview allows you to view all REST API requests being used by the
page. You can make changes on the page that are reflected in the API request
preview. This feature is not available if the user is logged in as an administrator
that has read-only GUI permissions.

FortiProxy 7.0 Administration Guide 63

Fortinet Inc.
Proxy Settings

To use the API Preview:

1. Click API Preview. The API Preview pane opens, and the values for the fields are visible (data). If a new object is
being created, the POST request is shown for the CMDB API that creates the explicit proxy configuration.
2. Enable Show modified changes only to show the modified changes instead of the full configuration in the preview.
3. Click Copy to Clipboard to copy the JSON code shown on the preview screen to the clipboard.
4. Click Close to leave the preview.

To create a forwarding server in the CLI:

config web-proxy forward-server

edit <server_name>
set addr-type {ip | fqdn}
set ip <IPv4_address>
set fqdn <FQDN>
set port <1-65535>
set healthcheck {disable | enable}
server-down-option {block | pass}
set comment <string>
set authentication {disabled | immediately | upon-challenge}
set masquerade {enable | disable}
next
end

Selectively forward web requests to a transparent web proxy

Web traffic over HTTP/HTTPS can be forwarded selectively by the FortiProxy unitʼs transparent web proxy to an
upstream web proxy to avoid overwhelming the proxy server. Traffic can be selected by specifying the proxy address
(set webproxy-forward-server), which can be based on a FortiGuard URL category.

The FortiGuard web filter service must be enabled on the downstream FortiProxy unit.

Forwarding behavior

The forward server will be ignored if the proxy policy matching for a particular session needs the FortiProxy unit to see
authentication information inside the HTTP (plain text) message. For example, assume that user authentication is
required and a forward server is configured in the transparent web proxy, and the authentication method is an active
method (such as basic). When the user or client sends the HTTP request over SSL with authentication information to the
FortiProxy unit, the request cannot be forwarded to the upstream proxy. Instead, it will be forwarded directly to the
original web server (assuming deep inspection and http-policy-redirect are enabled in the firewall policy).
The FortiProxy unit will close the session before the client request can be forwarded if all of the following conditions are
met:
l The certificate inspection is configured in the firewall policy that has the http-policy-redirect option enabled.
l A previously authenticated IP-based user record cannot be found by the FortiProxy unitʼs memory during the SSL
handshake.
l Proxy policy matching needs the FortiProxy unit to see the HTTP request authentication information.

FortiProxy 7.0 Administration Guide 64

Fortinet Inc.
Proxy Settings

Use the following best practices to enable user authentication and use webproxy-forward-server in the transparent
web proxy policy at the same time:
l In the firewall policy that has the http-policy-redirect option enabled, set ssl-ssh-profile to use the
deep-inspection profile.
l Use IP-based authentication rules; otherwise, the webproxy-forward-server setting in the transparent web
proxy policy will be ignored.
l Use a passive authentication method such as FSSO. With FSSO, once the user is authenticated as a domain user
by a successful login, the web traffic from the user's client will always be forwarded to the upstream proxy as long as
the authenticated user remains unexpired. If the authentication method is an active authentication method (such as
basic, digest, NTLM, negotiate, form, and so on), the first session containing authentication information will bypass
the forward server, but the following sessions will be connected through the upstream proxy.

Sample configuration

On the downstream FortiProxy proxy, there are two category proxy addresses used in two separate transparent web
proxy policies as the destination address:
l In the policy with upstream_proxy_1 as the forward server, the proxy address category_infotech is used to
match URLs in the information technology category.
l In the policy with upstream_proxy_2 as the forward server, the proxy address category_social is used to
match URLs in the social media category.

To configure forwarding requests to transparent web proxies:

1. Configure the proxy forward servers:

config web-proxy forward-server
edit "upStream_proxy_1"
set ip 172.16.200.20
next
edit "upStream_proxy_2"
set ip 172.16.200.46
next
end

2. Configure the web proxy addresses:

config firewall proxy-address
edit "category_infotech"
set type category
set host "all"
set category 52
next
edit "category_social"
set type category
set host "all"
set category 37
next
end

3. Configure the firewall policy:

config firewall policy
edit 1
set srcintf "port10"

FortiProxy 7.0 Administration Guide 65

Fortinet Inc.
Proxy Settings

set dstintf "port9"

set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set utm-status enable
set ssl-ssh-profile "deep-inspection"
set av-profile "av"
next
end

4. Configure the proxy policies:

config firewall policy
edit 1
set type transparent
set srcintf "port10"
set dstintf "port9"
set srcaddr "all"
set dstaddr "category_infotech"
set action accept
set schedule "always"
set logtraffic all
set webproxy-forward-server "upStream_proxy_1"
set utm-status enable
set ssl-ssh-profile "deep-inspection"
set av-profile "av"
next
edit 2
set type transparent
set srcintf "port10"
set dstintf "port9"
set srcaddr "all"
set dstaddr "category_social"
set action accept
set schedule "always"
set logtraffic all
set webproxy-forward-server "upStream_proxy_2"
set utm-status enable
set ssl-ssh-profile "deep-inspection"
set av-profile "av"
next
end

Server URL

The URL match list is used to exempt URLs from caching and to enable forwarding specific URLs to a web proxy server.
URLs, URL patterns, and numeric IP addresses can be added to the match list.
For example, if your users access web sites that are not compatible with FortiProxy web caching, you can add the URLs
of these web sites to the web caching exempt list, and all traffic accepted by a web cache policy for these websites will
not be cached.
To see the available URL match entries, go to Proxy Settings > Server URL.

FortiProxy 7.0 Administration Guide 66

Fortinet Inc.
 Proxy Settings

Hover over the leftmost edge of the column heading to display the Configure Table icon, which you can use to select the
columns to display or to reset all the columns to their default settings. You can also drag column headings to change
their order.
The following options are available:

Create New Create a URL match entry. See Create or edit a URL match entry on page 67.

Edit Edit a URL match entry. See Create or edit a URL match entry on page 67.

Delete Remove a URL match entry from the list.

Search Enter a search term to find in the list.

Name The name for the URL match entry.

URL Pattern The URL, URL pattern, or numeric IP address to match.

Cache Exemption Whether the URL is exempt from caching.

Forward Server Name of the forwarding server that the URL is forwarded to. To create a
forwarding server, see Create or edit a forwarding server on page 63.

Status The status is either enable or disable.

Ref. Displays the number of times the object is referenced to other objects.
To view the location of the referenced object, select the number in Ref., and the
Object Usage window appears displaying the various locations of the referenced
object.

Comments Optional description of the URL match entry.

Create or edit a URL match entry

Select Create New to open the New URL Match Entry window.

FortiProxy 7.0 Administration Guide 67

Fortinet Inc.
Proxy Settings

To open the Edit URL Match Entry window, select a URL match entry and then click Edit.
Configure the following settings in the New URL Match Entry window or Edit URL Match Entry window and then click OK.

Name Enter a name for the URL match entry.

URL Pattern Enter the URL, URL pattern, or numeric IP address to match.

Forward to Server If you want to forward the URL to a web proxy server, enable Forward to Server
and select the server from the drop-down list.
To create a forwarding server, see Forwarding Server on page 62.

Exempt from Cache Enable this option to exempt the URL from caching.

Enable this URL Enable this option to make the URL match entry active.

Comments Enter an optional description of the URL match entry.

API Preview The API Preview allows you to view all REST API requests being used by the
page. You can make changes on the page that are reflected in the API request
preview. This feature is not available if the user is logged in as an administrator
that has read-only GUI permissions.

FortiProxy 7.0 Administration Guide 68

Fortinet Inc.
Proxy Settings

To create a URL match entry in the CLI:

config web-proxy url-match

edit <name>
set comment <optional_string>
set url-pattern <value>
set cache-exemption {enable | disable}
set forward-server <forwarding_server_name>
set status {enable | disable}
next
end

To use the API Preview:

1. Click API Preview. The API Preview pane opens, and the values for the fields are visible (data). If a new object is
being created, the POST request is shown for the CMDB API that creates the explicit proxy configuration.
2. Enable Show modified changes only to show the modified changes instead of the full configuration in the preview.
3. Click Copy to Clipboard to copy the JSON code shown on the preview screen to the clipboard.
4. Click Close to leave the preview.

FTP Proxy

You can enable the explicit FTP proxy on one or more FortiProxy interfaces. The explicit web and FTP proxies can be
operating at the same time on the same or on different FortiProxy interfaces.

Enabling the explicit FTP proxy on an interface connected to the Internet is a security risk
because anyone on the Internet who finds the proxy could use it to hide their source address.

To configure the explicit FTP proxy, go to Proxy Settings > FTP Proxy.

FortiProxy 7.0 Administration Guide 69

Fortinet Inc.
Proxy Settings

Configure the following settings and then click Apply:

Status Select Enable to make the explicit FTP proxy active.

Incoming IP Enter the incoming IP address.

Outgoing IP Enter the outgoing IP address.

Default Firewall Policy Action If Default Firewall Policy Action is set to Deny, traffic sent to the explicit FTP proxy
that is not accepted by an explicit FTP proxy policy is dropped. If Default Firewall
Policy Action is set to Allow, all FTP proxy sessions that do not match a policy are
allowed.

Incoming Port Enter the range of incoming port numbers. Click + to add another range.

API Preview The API Preview allows you to view all REST API requests being used by the
page. You can make changes on the page that are reflected in the API request
preview. This feature is not available if the user is logged in as an administrator
that has read-only GUI permissions.

FortiProxy 7.0 Administration Guide 70

Fortinet Inc.
 Proxy Settings

To use the API Preview:

1. Click API Preview. The API Preview pane opens, and the values for the fields are visible (data). If a new object is
being created, the POST request is shown for the CMDB API that creates the explicit proxy configuration.
2. Enable Show modified changes only to show the modified changes instead of the full configuration in the preview.
3. Click Copy to Clipboard to copy the JSON code shown on the preview screen to the clipboard.
4. Click Close to leave the preview.

FTPS handling

When explicit-ftp-tls is enabled in the FTP protocol options, FTP is always redirected, regardless of the FTPS
status, and deep inspection is done for the explicit FTPS session.
config firewall profile-protocol-options
edit "test"
config ftp
set ports 21
set status enable
set explicit-ftp-tls {disable | enable}
end
next
end

When deep inspection is enabled, FTPS is always redirected.

Isolator Server

To see a list of isolator servers, go to Proxy Settings > Isolator Server.

Hover over the leftmost edge of the column heading to display the Configure Table icon, which you can use to select the
columns to display or to reset all the columns to their default settings. You can also drag column headings to change
their order.
The following options are available:

Create New Create an isolator server. See Create or edit an isolator server on page 72.

Edit Edit an isolator server. See Create or edit an isolator server on page 72.

Clone Copy an existing isolator server.

Delete Remove an isolator server from the list.

Search Enter a search term to find in the list of isolator servers.

Name The name of the isolator server.

FortiProxy 7.0 Administration Guide 71

Fortinet Inc.
 Proxy Settings

Address Type The isolator server address is either an IP address or a fully qualified domain
name (FQDN).

IP The IP address of the isolator server.

FQDN The FQDN of the isolator server.

Ref. Displays the number of times the object is referenced to other objects. To view the
location of the referenced object, select the number in Ref., and the Object Usage
window appears displaying the various locations of the referenced object.

Comments Optional description of the isolator server.

Create or edit an isolator server

Select Create New to open the Create Isolator Server window.

To open the Edit Isolator Server window, select an isolator server and then click Edit.
Configure the following settings in the Create Isolator Server window or Edit Isolator Server window and then click OK:

FortiProxy 7.0 Administration Guide 72

Fortinet Inc.
Proxy Settings

Name Enter the name of the isolator server.

Comments Enter an optional description of the isolator server.

Address Type Select the type of isolator server address, either IP or FQDN.

IP If you selected IP for the address type, enter the IP address of the isolator server.

FQDN If you selected FQDN for the address type, enter the fully qualified domain name
of the isolator server.

Port Enter the port number of the isolator server.

API Preview The API Preview allows you to view all REST API requests being used by the
page. You can make changes on the page that are reflected in the API request
preview. This feature is not available if the user is logged in as an administrator
that has read-only GUI permissions.

To use the API Preview:

1. Click API Preview. The API Preview pane opens, and the values for the fields are visible (data). If a new object is
being created, the POST request is shown.
2. Enable Show modified changes only to show the modified changes instead of the full configuration in the preview.
3. Click Copy to Clipboard to copy the JSON code shown on the preview screen to the clipboard.
4. Click Close to leave the preview.

To control if the web proxy uses the device address to connect to the proxy server:

config web-proxy isolator-server

edit <server_name>
set masquerade {enable | disable}
next
end

Proxy Options

Certain inspections defined in security profiles require that the traffic be held in proxy while the inspection is carried out.
When a security profile requiring the use of a proxy is enabled in a policy, the Proxy Options field is displayed. The proxy
options define the parameters of how the traffic will be processed and to what level the traffic will be processed. There
can be multiple security profiles of a single type. There can also be a number of unique proxy option profiles. As the
requirements for a policy differ from one policy to the next, a different proxy option profile for each individual policy can
be configured or one profile can be repeatedly applied.
The proxy options refer to the handling of the following protocols:
l HTTP
l SMTP
l POP3
l IMAP
l FTP
l NNTP

FortiProxy 7.0 Administration Guide 73

Fortinet Inc.
 Proxy Settings

l MAPI
l DNS
l CIFS
The configuration for each of these protocols is handled separately.
Just like other components of the FortiProxy unit, different proxy option profiles can be configured to allow for granular
control of the FortiProxy unit. In the case of the proxy option profiles, you need to match the correct profile to a firewall
policy that is using the appropriate protocols. If you are creating a proxy option profile that is designed for policies that
control SMTP traffic into your network, you only want to configure the settings that apply to SMTP. You do not need or
want to configure the HTTP components.
To view the available proxy option profiles, go to Proxy Settings > Proxy Options.

Hover over the leftmost edge of the column heading to display the Configure Table icon, which you can use to select the
columns to display or to reset all the columns to their default settings. You can also drag column headings to change
their order.
The following options are available:

Create New Create a proxy option profile. See Create or edit a proxy option profile on page 77
and Create a CIFS proxy option on page 80.

Edit Modify the selected proxy option profile. See Create or edit a proxy option profile
on page 77.

Clone Make a copy of the selected proxy option profile.

Delete Remove the selected proxy option profile.

Search Enter a search term to find in the proxy option profile list.

Name The name of the proxy option profile.

Read Only The default proxy option profile is read only. It cannot be changed or deleted.

Comments An optional description of the proxy option profile.

Ref. Displays the number of times the object is referenced to other objects.
To view the location of the referenced object, select the number in Ref.; the Object
Usage window opens and displays the various locations of the referenced object.

Video streaming splitting

The following are the most popular audio/video streaming protocols:

1. Real-time Transport Protocol (RTP)
2. Real Time Streaming Protocol (RTSP )
3. MPEG-Dynamic Adaptive Streaming over HTTP (DASH)
4. Apple HTTP Live Streaming (HLS)

FortiProxy 7.0 Administration Guide 74

Fortinet Inc.
 Proxy Settings

5. Adobe HTTP Dynamic Streaming (HDS)

6. Microsoft Smooth Streaming (MSS)
To deliver streams smoothly and transmit as much information as possible, video stream splitting splits streams into
fragments, and their size is negotiated dynamically between the client and server. Sometimes, the fragment is kept
unchanged. The default fragment sizes are 64 bytes for audio data and 128 bytes for video data and most other data
types. Fragments from different streams can then be interleaved and multiplexed over a single connection. Streams can
carry, for example, video and one or more audio channels, next to a control channel to control the streams. This is like an
FTP command versus data session.
FortiProxy supports Apple HLS and MPEG-DASH stream splitting, which can be transferred over HTTP(S) or TCP port
1935.

Configuring TCP windows

Some file transfer applications can negotiate large TCP windows. For example, WinSCP can negotiate an initial TCP
window size of about 2 GB.
Starting in FortiProxy 7.0.0, the TCP window options can be used to prevent overly large initial TCP window sizes,
helping avoid channel flow control issues. It allows stream-based scan's flow control to limit peers from sending data that
exceeds a policy's configured oversize limit.

To configure TCP window size options:

config firewall profile-protocol-options

edit <string>
config {ftp | ssh}
...
set stream-based-uncompressed-limit <integer>
set tcp-window-type {system | static | dynamic}
set tcp-window-size <integer>
set tcp-window-minimum <integer>
set tcp-window-maximum <integer>
...
end
next
end

{ftp | ssh} l ftp: Configure FTP protocol options.

l ssh: Configure SFTP and SCP protocol options.
stream-based- The maximum stream-based uncompressed data size that will be scanned, in MB
uncompressed-limit (default = 0 (unlimited)).
<integer>
Stream-based uncompression used only under certain conditions.).
tcp-window-type {system | The TCP window type to use for this protocol.
static | dynamic} l system: Use the system default TCP window size for this protocol (default).

l static: Manually specify the TCP window size.

l dynamic: Vary the TCP window size based on available memory within the
limits configured in tcp-window-minimum and tcp-window-maximum.
tcp-window-size <integer> The TCP static window size (65536 - 33554432, default = 262144).

FortiProxy 7.0 Administration Guide 75

Fortinet Inc.
 Proxy Settings

This option is only available when tcp-window-type is static.

tcp-window-minimum The minimum TCP dynamic window size (65536 - 1048576, default = 131072).
<integer>
This option is only available when tcp-window-type is dynamic.
tcp-window-maximum The maximum TCP dynamic window size (1048576 - 33554432, default =
<integer> 8388608).
This option is only available when tcp-window-type is dynamic.

Handling SSL offloaded traffic from an external decryption device

Starting in FortiProxy 7.0.0, in scenarios where the FortiProxy unit is sandwiched between load-balancers and SSL
processing is offloaded on the external load-balancers, the FortiProxy unit can perform scanning on the unencrypted
traffic by specifying the ssl-offloaded option in firewall profile-protocol-options.

To configure SSL offloading:

config firewall profile-protocol-options

edit <name>
config http
set ports <1-65535>
set ssl-offloaded {no | yes}
end
config ftp
set ports <1-65535>
set ssl-offloaded {no | yes}
end
config imap
set ports <1-65535>
set ssl-offloaded {no | yes}
end
config pop3
set ports <1-65535>
set ssl-offloaded {no | yes}
end
config smtp
set ports <1-65535>
set ssl-offloaded {no | yes}
end
config ssh
set ports <1-65535>
set ssl-offloaded {no | yes}
end
next
end

FortiProxy 7.0 Administration Guide 76

Fortinet Inc.
 Proxy Settings

HTTP domain fronting blocking

To block HTTP domain fronting:

config firewall profile-protocol-options

edit <name>
config http
set domain-fronting disable
end
next
end

Create or edit a proxy option profile

To configure a new proxy option profile, go to Proxy Settings > Proxy Options and click Create New. The New Proxy
Options page is displayed.

FortiProxy 7.0 Administration Guide 77

Fortinet Inc.
Proxy Settings

Configure the following settings and then click OK to save your changes:

Name The name of the proxy option profile.

FortiProxy 7.0 Administration Guide 78

Fortinet Inc.
Proxy Settings

Comments Optional description of the proxy option profile.

Log Oversized Files Enable this setting to log when oversized files are processed. The setting does
not change how the files are processed. It only enables the FortiProxy unit to log
that they were either blocked or allowed through. A common practice is to allow
larger files through without antivirus processing. This practice allows you to get an
idea of how often this happens and decide on whether to alter the settings relating
to the treatment of oversized files.

RPC over HTTP Enable or disable the inspection of RPC over HTTP.

Protocol Port Mapping To optimize the resources of the unit, enable or disable the mapping and
inspection of protocols. When you enable a protocol, the default port numbers are
automatically filled in, but you can change them.

Common Options

Comfort Clients When proxy-based antivirus scanning is enabled, the FortiProxy unit buffers files
as they are downloaded. After the entire file is captured, the FortiProxy unit begins
scanning the file. During the buffering and scanning procedure, the user must
wait. After the scan is completed, if no infection is found, the file is sent to the next
step in the process flow. If the file is a large one this part of the process can take
some time. In some cases enough time that some users may get impatient and
cancel the download.
The Comfort Clients feature mitigates this potential issue by feeding a trickle of
data while waiting for the scan to complete. The user then knows that processing
is taking place and that there hasn’t been a failure in the transmission. The slow
transfer rate continues until the antivirus scan is complete. After the file has been
successfully scanned and found to be clean of any viruses, the transfer will
proceed at full speed.
Enable and then configure the following:
l Interval (seconds)—Enter the interval time in seconds. The default is 10.
l Amount (bytes—Enter the amount in bytes. The default is 1.

Block Oversized File/Email You can block files or emails that are larger than a specified size.
Enable and then enter the threshold size in megabytes of the files and emails to
block.

Web Options

Chunked Bypass The HTTP section allows the enabling of Chunked Bypass. This refers to the
mechanism in version 1.1 of HTTP that allows a web server to start sending
chunks of dynamically generated output in response to a request before actually
knowing the actual size of the content. Where dynamically generated content is
concerned, enabling this feature means that there is a faster initial response to
HTTP requests. From a security stand point, enabling this feature means that the
content is not held in the proxy as an entire file before proceeding.
Enable or disable the chunked bypass setting.

FortiProxy 7.0 Administration Guide 79

Fortinet Inc.
 Proxy Settings

API Preview The API Preview allows you to view all REST API requests being used by the
page. You can make changes on the page that are reflected in the API request
preview. This feature is not available if the user is logged in as an administrator
that has read-only GUI permissions.

To use the API Preview:

1. Click API Preview. The API Preview pane opens, and the values for the fields are visible (data). If a new object is
being created, the POST request is shown.
2. Enable Show modified changes only to show the modified changes instead of the full configuration in the preview.
3. Click Copy to Clipboard to copy the JSON code shown on the preview screen to the clipboard.
4. Click Close to leave the preview.

Create a CIFS proxy option

CIFS can be configure in the GUI by creating or editing a proxy option under Proxy Settings > Proxy Options, and in the
CLI using the config firewall profile-protocol-options command. The cifs-profile command is no
longer available from the firewall policy options.
The CIFS proxy option can then be used in a policy.

To create a CIFS proxy option:

config firewall profile-protocol-options

edit <option>
config cifs
set ports <port>
set status {enable | disable}
set options <string>
set oversize-limit <integer>
set uncompressed-oversize-limit <integer>
set uncompressed-nest-limit <integer>
set scan-bzip2 {enable | disable}
set tcp-window-type {auto-tuning | system | static | dynamic}
set server-credential-type {none | credential-replication | credential-keytab}
end
next
end

To use the CIFS proxy option in a policy:

l In the CLI, select the option using the set profile-protocol-options <option> command:
config firewall policy
edit 1
set profile-protocol-options <option>
next
end

FortiProxy 7.0 Administration Guide 80

Fortinet Inc.
Proxy Settings

l In the GUI, select the option in the Protocol Options field when editing a policy.

SSL Keyring

A keyring list is file that contains multiple SSL client certificates in PEM format. A list can include a maximum of 240,000
client certificates. Certificate chains are also supported. The list can be uploaded using the GUI or SCP.
The keyring list must start with #keyring, and uses the following format:
#keyring:1
<private_key_1>
<certificate_1>
<optional_certificate_chain_1>
#keyring:2
<private_key_2>
<certificate_2>
<optional_certificate_chain_2>
....

For example:
#keyring:1
-----BEGIN PRIVATE KEY-----
MC4CAQ...arfLXfXrEve+Yb8zQ
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MII...SDg==
-----END CERTIFICATE-----
#keyring:2
-----BEGIN EC PARAMETERS-----
Bg...Bw==
-----END EC PARAMETERS-----
-----BEGIN EC PRIVATE KEY-----
MHc...onQ==
-----END EC PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MII...4Dh
-----END CERTIFICATE-----

To upload a keyring list in the GUI:

1. Go to Proxy Settings > SSL Keyring and click Create New.

2. Enter a name for the list.

FortiProxy 7.0 Administration Guide 81

Fortinet Inc.
Proxy Settings

3. Click Upload to upload the list from the management computer.

4. Click OK.

To upload a keyring list from the management computer using SCP:

scp <keyring-file-path> admin@<FPX address>:keyring-list:<optional profile name>

For example:
scp mykeyring admin@10.10.10.1:keyring-list:mykeyring

FortiProxy 7.0 Administration Guide 82

Fortinet Inc.
Network

The Network menu allows you to configure the unit to operate on the network. This menu provides features for
configuring and viewing basic network settings, such as the unit’s interfaces, Domain Name System (DNS) options, and
routing table.
This section describes the following:
l Interfaces on page 83
l GRE Tunnel on page 96
l DNS Settings on page 99
l DNS Service on page 103
l Packet Capture on page 107
l Static routes on page 110
l Policy routes on page 113

Interfaces

Unless stated otherwise, the term interface refers to a physical FortiProxy interface.

In Network > Interfaces, you can configure the interfaces that handle incoming and outgoing traffic.

FortiProxy 7.0 Administration Guide 83

Fortinet Inc.
Network

Hover over the leftmost edge of the column heading to display the Configure Table icon, which you can use to select the
columns to display or to reset all the columns to their default settings. You can also drag column headings to change
their order.
The following options are available:

Create New Select to create an interface or a zone. See Create or edit an interface on page 89
and Create or edit a zone on page 94.

Edit Modifies settings within the interface or zone. See Create or edit an interface on
page 89 and Create or edit a zone on page 94.

Delete Removes an interface from the list.

To remove multiple interfaces, select multiple rows in the list by holding down the
Ctrl or Shift keys and then select Delete.

Search Enter a search term to find in the list.

Grouping Select Group By Type, Group By Role, Group By Status, Group By Zone, or No
Grouping to change how the rows are displayed on the interface list.

Status The administrative status for the interface.

If the administrative status is green, the interface is up and can accept network
traffic. If the administrative status is red, the interface is administratively down and
cannot accept traffic. To change the administrative status of an interface, right-
click the icon and select the Set Status setting for the interface.

FortiProxy 7.0 Administration Guide 84

Fortinet Inc.
Network

Name The names of the physical interfaces on your FortiProxy unit. The names include
any alias names that have been configured.

Type The type of the interface, such as Physical Interface.

Members Interfaces that belong to the virtual interface of the software switch.

IP/Netmask The current IP address/netmask of the interface.

When IPv6 Support is enabled on the GUI, IPv6 addresses are displayed in this
column.

Administrative Access The administrative access configuration for the interface.

Ref. Displays the number of times the object is referenced to other objects.
To view the location of the referenced object, select the number in Ref., and the
Object Usage window appears displaying the various locations of the referenced
object.

Bytes The number of bytes being used.

Description A description of the interface.

DHCP Clients If the interface has been configured as a DHCP client.

DHCP Ranges The range of IPv4 addresses.

Errors Any errors detected.

IPv6 Access The types of administrative access permitted for IPv6 connections to this
interface.

IPv6 Address The IPv6 address/subnet mask for the interface.

IPv6 DHCP Clients If the interface has been configured as a DHCP client.

IPv6 DHCP Ranges The range of IPv6 addresses.

Link Status The status is Up when a valid cable is plugged in. The status is Down when an
invalid cable is plugged in.

MAC Address The MAC address of the interface.

Packets The total number of packets that have been sent and received. Hover over the bar
chart to see the separate packet numbers.

Role The role can be LAN, WAN, DMZ, or Undefined.

Secondary IP(s) The secondary IPv4 addresses added to the interface.

Secondary IPv6 Addresses The secondary IPv6 addresses added to the interface.

Security Mode The mode is either None or Captive Portal.

VLAN ID The configured VLAN ID for VLAN subinterfaces.

VRRP Whether the Virtual Router Redundancy Protocol is being used.

Zone The name of the zone that the interface belongs to.

FortiProxy 7.0 Administration Guide 85

Fortinet Inc.
Network

To change the VLAN ID:

1. Go to Network > Interfaces, select a VLAN, and then click Edit.

2. Beside the VLAN ID field, click Edit. The Update VLAN ID window opens.

3. Enter the new ID and click Next.

4. Verify the changes and then click Update and OK.

FortiProxy 7.0 Administration Guide 86

Fortinet Inc.
 Network

5. The target object status changes to Updated entry. Click Close.

In the interface settings, the new VLAN ID is displayed.

Link health monitor

A link health monitor confirms the connectivity of the device’s interface. You can detect possible routing loops with link
health monitors. You can configure the FortiProxy unit to ping a gateway at regular intervals to ensure that it is online and
working. When the gateway is not accessible, that interface is marked as down.
Set the interval (how often to send a ping) and failtime (how many lost pings are considered a failure). A smaller
interval and smaller number of lost pings results in faster detection but creates more traffic on your network. You
might also want to log CPU and memory usage, as a network outage causes your CPU activity to spike.

To configure a link health monitor using the CLI:

config system link-monitor

edit <link_monitor_name>
set srcintf <interface_name>
set server <server_IP_address>
set protocol {ping | tcp-echo | udp-echo | http | twamp}
set gateway-ip <gateway_IPv4_address>
set source-ip <IPv4_address>
set interval <seconds>

FortiProxy 7.0 Administration Guide 87

Fortinet Inc.
Network

set timeout <seconds>

set failtime <retry_attempts>
set recoverytime <number_of_successful_responses>
set ha-priority <priority>
set update-cascade-interface {enable | disable}
set update-static-route {enable | disable}
set status {enable | disable}
next
end

CLI option Description

srcintf The name of the interface to add the link health monitor to.

server One or more IP addresses of the servers to be monitored. If the link health monitor
cannot connect to all of the servers, remote IP monitoring considers the link to be
down. You can add multiple IP addresses to a single link monitor to monitor more
than one IP address from a single interface. If you add multiple IP addresses, the
health checking will be with all of the addresses at the same time. The link monitor
only fails when no responses are received from all of the addresses.

protocol One or more protocols to be used to test the link. The default is ping.

gateway-ip The IPv4 address of the remote gateway that the link monitor must communicate
with to contact the server. Only required if there is no other route on for this
communication.

source-ip Optionally add a source IPv4 address for the monitoring packets. Normally the
source address is the address of the source interface. You can add a different
source address if required.

interval The time between sending link health check packets. The default is 5 seconds.
The range is 1 to 3600 seconds.

timeout The time to wait before receiving a response from the server. The default is 1
second. The range is 1 to 255 seconds.

failtime The number of times that a health check can fail before a failure is detected (the
failover threshold). The default is 5. The range is 1 to 10.

recoverytime The number of times that a health check must succeed after a failure is detected
to verify that the server is back up. The default is 5. The range is 1 to 10.

ha-priority The priority of this link health monitor when the ling health monitor is part of a
remote link monitor configuration. The default is 1. The range is 1 to 50.

update-cascade-interface Enable to bring down the source interface if the link health monitor fails. Disable to
keep the interface up if the link health monitor fails. The default is enable.

update-static-route Enable to remove static routes from the routing table that use this interface if the
link monitor fails. The default is enable.

status Enable or disable this link monitor. The default is enable.

FortiProxy 7.0 Administration Guide 88

Fortinet Inc.
 Network

Selecting the source interface and address for Telnet and SSH

Starting in FortiProxy 7.0.0, the execute telnet-options and execute ssh-options commands allow
administrators to set the source interface and address for their connection:
# execute telnet-options {interface <outgoing interface> | reset | source <source interface
IP> | view-settings}
# execute ssh-options {interface <outgoing interface> | reset | source <source interface IP>
| view-settings}

To edit the Telnet options:

# execute telnet-options interface port1

# execute telnet-options source 1.1.1.1

To confirm that the Telnet packets are using the configured port and address:

# diagnose sniffer packet any "port 23" 4

4.070426 port1 out 1.1.1.1.13938 -> 15.15.15.2.23: syn 400156130
4.070706 port1 in 15.15.15.2.23 -> 1.1.1.1.13938: syn 2889776642 ack 400156131

To edit the SSH options:

# execute ssh-options interface port1

# execute ssh-options source 1.1.1.1

To confirm that the SSH packets are using the configured port and address:

# diagnose sniffer packet any "port 22" 4

6.898985 port1 out 1.1.1.1.20625 -> 15.15.15.2.22: syn 1704095779
6.899286 port1 in 15.15.15.2.22 -> 1.1.1.1.20625: syn 753358246 ack 1704095780

Create or edit an interface

Selecting Create New > Interface opens the New Interface page, which provides settings for configuring a new interface.

FortiProxy 7.0 Administration Guide 89

Fortinet Inc.
Network

FortiProxy 7.0 Administration Guide 90

Fortinet Inc.
Network

Selecting an interface and then selecting Edit opens the Edit Interface page.
Configure the following settings in the New Interface page or Edit Interface page and click OK:

Name Enter a name for the interface. Physical interface names cannot be changed. If
VLAN pooling is enabled, the maximum name length is 10 characters. You cannot
edit the interface name after you create the interface.

Alias Enter an alternate name for a physical interface on the FortiProxy unit. The alias
can be a maximum of 25 characters. The alias name does not appear in logs. This
field appears when editing an existing physical interface.

Type Select the type of the interface: VLAN, 802.3ad Aggregate, or Redundant
Interface.

Interface Members Select the ports to be included in the interface if the Type is 802.3ad Aggregate or
Redundant Interface.

Interface This field is available when Type is set to VLAN.

Select the name of the physical interface that you want to add a VLAN interface
to. After it is created, the VLAN interface is listed below its physical interface in the
Interface list.
You cannot change the physical interface of a VLAN interface.

VLAN ID This field is available when Type is set to VLAN.

Enter the VLAN ID. You cannot change the VLAN ID except when you add a new
VLAN interface.
The VLAN ID must be a number between 1 and 4094. It must match the VLAN ID
that the IEEE 802.1Q-compliant router or switch that is connected to the VLAN
subinterface adds.

Role Set the role setting for the interface. Different settings will be shown or hidden
when editing an interface depending on the role.
l LAN: Used to connected to a local network of endpoints

l WAN: Used to connected to the internet.

l DMZ: Used to connected to the DMZ. When selected, DHCP server and
Security mode are not available.
l Undefined: The interface has no specific role.

Estimated bandwidth The estimated WAN bandwidth. Enter the upstream and downstream bandwidth.
These values are used to estimate WAN usage.

Addressing mode Select the addressing mode for the interface:

l Select Manual and add an IPv4 address and network mask for the interface.

If IPv6 configuration is enabled, you can add both an IPv4 and an IPv6 IP
address.
l Select DHCP to get the interface IP address and other network settings from
a DHCP server.
l Select Auto-managed by FortiIPAM if you have FortiIPAM Cloud. The
FortiIPAM (IP Address Management) service automatically assigns subnets
to the FortiProxy unit to prevent duplicate IP addresses from overlapping
within the same Security Fabric. FortiIPAM is a paid service and must be

FortiProxy 7.0 Administration Guide 91

Fortinet Inc.
Network

registered to the FortiProxy unit in FortiCare.

IP/Netmask Enter an IPv4 address and subnet mask for the interface. FortiProxy interfaces
cannot have IP addresses on the same subnet.
This option is available only if Addressing mode is set to Manual.

Retrieve default gateway from Enable this to retrieve a default gateway IP address from the DHCP server. The
server default gateway is added to the static routing table.
This option is available only if Addressing mode is set to DHCP.

Distance Enter the administrative distance for the default gateway retrieved from the DHCP
server. The administrative distance is an integer from 1 to 255, and specifies the
relative priority of a route when there are multiple routes to the same destination.
A lower administrative distance indicates a more preferred route.
This option is available only if Addressing mode is set to DHCP and Retrieve
default gateway from server is enabled.

Override internal DNS Enable this to use the DNS addresses retrieved from the DHCP server instead of
the DNS server IP addresses on the DNS page.
This option is available only if Addressing mode is set to DHCP.

IPv6 Addressing mode Select the addressing mode for the interface:
l Select Manual and add an IP address and network mask for the interface.

l Select DHCP to get the interface IP address and other network settings from
a DHCP server.
l Select Delegated to select an IPv6 upstream interface that has DHCPv6
prefix delegation enabled and enter an IPv6 subnet if needed. The interface
will get the IPv6 prefix from the upstream DHCPv6 server that is connected to
the IPv6 upstream interface and form the IPv6 address with the subnet
configured on the interface.

IPv6 Address/Prefix If Addressing Mode is set to Manual and IPv6 support is enabled, enter an IPv6
address and subnet mask for the interface. A single interface can have an IPv4
address, IPv6 address, or both.

Create address object This option is available when Role is set to LAN or DMZ.
matching subnet Enable this option to automatically create an address object that matches the
interface subnet.

Secondary IP address Add additional IPv4 addresses to this interface.

IPv6 Address/Prefix If IPv6 support is enabled on the GUI, enter an IPv6 address and subnet mask for
the interface. A single interface can have both an IPv4 and IPv6 address or just
one or the other.
This option is available only if IPv6 Addressing mode is set to Manual.

IPv4 IPv6 Select the types of administrative access permitted for IPv4 and IPv6 connections
to this interface.

Speed Test Allows speed tests to be executed on the interface.

HTTPS Allow secure HTTPS connections to the GUI through this interface.

FortiProxy 7.0 Administration Guide 92

Fortinet Inc.
Network

HTTP HTTP traffic is automatically redirected to HTTPS.

PING Interface responds to pings. Use this setting to verify your installation and for
testing.

FMG-Access Allow FortiManager to access this interface.

SSH Allow SSH connections to the CLI through this interface.

SNMP Allow a remote SNMP manager to request SNMP information by connecting to

this interface.

FTM Allow FTM Push notifications, for when users are attempting to authenticate
through a VPN and/or RADIUS (with FortiAuthenticator as the RADIUS server).

RADIUS Accounting Allow RADIUS accounting records that the server forwards (originating from the
RADIUS client). These records include the user’s IP address and user group.

Security Fabric Connection Allow Security Fabric access. This access enables CAPWAP and FortiTelemetry.

Stateless Address Auto- Enable to provide IPv6 addresses to connected devices using SLAAC.
configuration

IPv6 prefix list Enable to provide a list of IPv6 prefixes.

IPv6 prefix Enter the IPv6 prefix.

Outbound shaping profile Enable or disable traffic shaping on the interface. This allows you to enforce
bandwidth limits on individual interfaces.

Outbound bandwidth Enable to specify the outbound bandwidth.

Inbound shaping profile Enable or disable traffic shaping on the interface. This allows you to enforce
bandwidth limits on individual interfaces.

Inbound bandwidth Enable to specify the inbound bandwidth.

Comments Enter a description of the interface of up to 255 characters.

Status Enable or disable the interface.

Explicit web proxy Select this to enable explicit web proxying on this interface.

Explicit FTP proxy Enable or disable explicit FTP proxying on this interface.

Enable WCCP Protocol The Web Cache Communication Protocol (WCCP) can be used to provide web
caching with load balancing and fault tolerance. In a WCCP configuration, a
WCCP server receives HTTP requests from a userʼs web browsers and redirects
the requests to one or more WCCP clients. The clients either return cached
content or request new content from the destination web servers before caching it
and returning it to the server, which in turn returns the content to the original
requester. If a WCCP configuration includes multiple WCCP clients, the WCCP
server load balances traffic among the clients and can detect when a client fails
and failover sessions to still operating clients. WCCP is described by the Web
Cache Communication Protocol Internet draft.

Proxy Captive Portal Enable or disable proxy captive portal on this interface.

FortiProxy 7.0 Administration Guide 93

Fortinet Inc.
 Network

API Preview The API Preview allows you to view all REST API requests being used by the
page. You can make changes on the page that are reflected in the API request
preview. This feature is not available if the user is logged in as an administrator
that has read-only GUI permissions.

To add secondary IP addresses:

1. Go to Network > Interfaces and select Create New > Interface.

2. Enable Secondary IP Address.
3. Select Create New.
4. Enter the IPv4 address and network mask.
5. Select the types of administrative access to allow.
6. Click OK. The new IP address is added to the table.

To use the API Preview:

1. Click API Preview. The API Preview pane opens, and the values for the fields are visible (data). If a new object is
being created, the POST request is shown.
2. Enable Show modified changes only to show the modified changes instead of the full configuration in the preview.
3. Click Copy to Clipboard to copy the JSON code shown on the preview screen to the clipboard.
4. Click Close to leave the preview.

Create or edit a zone

Zones are a group of one or more physical or virtual FortiProxy interfaces that you can apply security policies to control
inbound and outbound traffic. Grouping interfaces into zones simplifies the creation of security policies where a number
of network segments can use the same policy settings and protection profiles. Interfaces that are included in a zone must
not be assigned to another zone or have firewall policies defined.
Selecting Create New > Zone opens the New Zone page, which provides settings for configuring a new zone.

FortiProxy 7.0 Administration Guide 94

Fortinet Inc.
Network

Selecting a zone and then selecting Edit opens the Edit Zone page.
Configure the following settings in the New Zone page or Edit Zone page and click OK:

Name Enter a name for the zone. You can change the name of the zone after creating it.

Interface Members Select the ports to be included in the zone.

Comments Enter a description up to 255 characters to describe the zone.

API Preview Select the ports to be included in the zone.

FortiProxy 7.0 Administration Guide 95

Fortinet Inc.
Network

To use the API Preview:

1. Click API Preview. The API Preview pane opens, and the values for the fields are visible (data). If a new object is
being created, the POST request is shown.
2. Enable Show modified changes only to show the modified changes instead of the full configuration in the preview.
3. Click Copy to Clipboard to copy the JSON code shown on the preview screen to the clipboard.
4. Click Close to leave the preview.

To create a zone:

config system zone

edit <zone_name>
set description <string>
set interface <interface_names>
next
end

Verification

When a client visits a HTTP website, the client will be redirected to the captive portal for authentication by HTTPS. For
example, the client could be redirected to a URL by a HTTP 303 message similar to the following:
HTTP/1.1 303 See Other
Connection: close
Content-Type: text/html
Cache-Control: no-cache
Location:
https://fpx.fortinetqa.local:7831/XX/YY/ZZ/cpauth?scheme=http&4Tmthd=0&host=172.16.200.46&port=80&rule=75&ur
i=Lw==& 
Content-Length: 0
The captive portal URL used for authentication is https://fpx.fortinetqa.local:7831/.... After the authentication is complete
with all user credentials protected by HTTPS, the client is redirected to the original HTTP website it intended to visit.

GRE Tunnel

The Generic Routing Encapsulation (GRE) tunnel allows direct communication between two nodes on a network.
Go to Network > GRE Tunnel to see which GRE tunnels have been configured.

Hover over the leftmost edge of the column heading to display the Configure Table icon, which you can use to select the
columns to display or to reset all the columns to their default settings. You can also drag column headings to change
their order.

FortiProxy 7.0 Administration Guide 96

Fortinet Inc.
 Network

The following options are available:

Create New Select to create a GRE tunnel. See Create or edit a GRE tunnel on page 97.

Edit Modifies settings for the selected GRE tunnel. When you click Edit, the Edit GRE
Tunnel page opens.

Delete Removes the selected GRE tunnel.

Name The name of the GRE tunnel.

Interfaces Name of the source interface.

Remote Gateway IP address of the remote gateway.

Local Gateway IP address of the local gateway.

Ref. Displays the number of times the object is referenced to other objects.
To view the location of the referenced object, select the number in Ref.; the Object
Usage window opens and displays the various locations of the referenced object.

Create or edit a GRE tunnel

Select Create New to open the Create Gre Tunnel page.

FortiProxy 7.0 Administration Guide 97

Fortinet Inc.
Network

Select a GRE tunnel and then click Edit to open the Edit Gre Tunnel page.
Configure the following settings in the Create Gre Tunnel page or Edit Gre Tunnel page and then click OK:

Name Enter the name to identify the GRE tunnel. You cannot edit the name after you
create the GRE tunnel.

Source Interface Name of the source interface. There is no default value.

Remote Gateway IP address of the remote gateway. The default is 0.0.0.0.

Local Gateway IP address of the local gateway. The default is 0.0.0.0.

FortiProxy 7.0 Administration Guide 98

Fortinet Inc.
Network

Sequence Number Reception Enable or disable whether sequence numbers are validated in the received GRE
packets. The default is disable.

Checksum Transmission Enable or disable whether checksums are included in transmitted GRE packets.
The default is disable.

Checksum Reception Enable or disable whether checksums are validated in received GRE packets.
The default is disable.

Key Outbound Enter the key to be included in transmitted GRE packets. The range is 0 to
4,294,967,295. The default is 0.

Key Inbound Enter the key that is required to be in received GRE packets. The range is 0 to
4,294,967,295. The default is 0.

Keepalive Interval Specify how many minutes pass before a GRE keep-alive message is sent. The
range is 0 to 32,767. Enter 0 to disable this feature. The default is 0.

Keepalive Failtimes How many times the GRE keep-alive message fails before the GRE connection is
considered down. The range is 1-255. The default is 10.

API Preview The API Preview allows you to view all REST API requests being used by the
page. You can make changes on the page that are reflected in the API request
preview. This feature is not available if the user is logged in as an administrator
that has read-only GUI permissions.

To use the API Preview:

1. Click API Preview. The API Preview pane opens, and the values for the fields are visible (data). If a new object is
being created, the POST request is shown.
2. Enable Show modified changes only to show the modified changes instead of the full configuration in the preview.
3. Click Copy to Clipboard to copy the JSON code shown on the preview screen to the clipboard.
4. Click Close to leave the preview.

DNS Settings

Several FortiProxy functions use DNS, including alert email. You can specify the IP addresses of the DNS servers to
which your unit connects. DNS server IP addresses are usually supplied by your ISP. To configure DNS settings, go to
Network > DNS Settings.

FortiProxy 7.0 Administration Guide 99

Fortinet Inc.
Network

Configure the following settings and select Apply:

DNS Servers Select Use FortiGuard Severs or Specify. If you select Specify, enter the
IP addresses for the primary and secondary DNS servers.
See also Use DNS over TLS for default FortiGuard DNS servers on page 102.

Primary DNS Server Enter the IPv4 or IPv6 address for the primary DNS server.

Secondary DNS Server Enter the IPv4 or IPv6 address for the secondary DNS server.

Local Domain Name Enter the domain name to append to addresses with no domain portion when
performing DNS lookups.

DNS (UDP/53) Enable or disable the use of clear-text DNS over port 53.

FortiProxy 7.0 Administration Guide 100

Fortinet Inc.
 Network

TLS (TCP/853) Enable or disable the use of DNS over TLS (DoT).

HTTPS (TCP/443) Enable or disable the use of DNS over HTTPS (DoH).

SSL certificate Select which SSL certificate or click Create to import a certificate.

Server hostname Enter the host name of the DNS server.

API Preview The API Preview allows you to view all REST API requests being used by the
page. You can make changes on the page that are reflected in the API request
preview. This feature is not available if the user is logged in as an administrator
that has read-only GUI permissions.

Edit in CLI Click to open a CLI console window to view and edit the setting in the CLI. If there
are multiple CLI settings on the page, the CLI console shows the first setting.

Local Out Setting Click to directly configure the local-out settings.

To use the API Preview:

1. Click API Preview. The API Preview pane opens, and the values for the fields are visible (data). If a new object is
being created, the POST request is shown.
2. Enable Show modified changes only to show the modified changes instead of the full configuration in the preview.
3. Click Copy to Clipboard to copy the JSON code shown on the preview screen to the clipboard.
4. Click Close to leave the preview.

To enable DoT and DoH DNS in the CLI:

config system dns

set primary <IP_address>
set secondary <IP_address>
set protocol {cleartext | dot | doh}
end

Using the FortiProxy unit as an IPv6 DDNS client for generic DDNS

When configuring the generic DDNS service provider as a DDNS server, the server type and address type can be set to
IPv6. This allows the FortiProxy unit to connect to an IPv6 DDNS server and provide the FortiProxy unitʼs IPv6 interface
address for updates.
config system ddns
edit <ID>
set ddns-server genericDDNS
set server-type {ipv4 | ipv6}
set ddns-server-addr <address>
set addr-type {ipv4 | ipv6}
set monitor-interface <port>
next
end

FortiProxy 7.0 Administration Guide 101

Fortinet Inc.
 Network

To configure an IPv6 DDNS client with generic DDNS:

config system ddns

edit 1
set ddns-server genericDDNS
set server-type ipv6
set ddns-server-addr "2004:16:16:16::2" "16.16.16.2" "ddns.genericddns.com"
set ddns-domain "test.com"
set addr-type ipv6
set monitor-interface "port3"
next
end

Use DNS over TLS for default FortiGuard DNS servers

When using FortiGuard servers for DNS, the FortiProxy unit defaults to using DNS over TLS (DoT) to secure the DNS
traffic. New FortiGuard DNS servers are added as primary and secondary servers.

Because DNS servers probably do not support low encryption DES, low encryption devices do
not have the option to select DoT or DoH. The devices default to cleartext (UDP/53) instead.

The FortiGuard DNS server certificates are signed with the globalsdns.fortinet.net hostname by a public CA. The
FortiProxy unit verifies the server hostname using the server-hostname setting.

To view the FortiGuard server DNS settings in the GUI:

1. Go to Network > DNS Settings.

2. For DNS servers, select Use FortiGuard Servers.
The Primary DNS server is 96.45.45.45, and the Secondary DNS server is 96.45.46.46. DNS Protocols is set to TLS
and cannot be modified.

To view the FortiGuard server DNS settings in the CLI:

# show system dns

config system dns
set primary 96.45.45.45
set secondary 96.45.46.46
set protocol dot
set server-hostname "globalsdns.fortinet.net"
end

The protocol and server-hostname settings should not be modified when using the
default FortiGuard servers.

FortiProxy 7.0 Administration Guide 102

Fortinet Inc.
Network

DNS Service

You can create local DNS servers for your network. Depending on your requirements, you can manually maintain your
entries (primary DNS server) or use it as a jumping point, where the server refers to an outside source (secondary DNS
server). A local primary DNS server works similarly to the DNS server addresses configured in Network > DNS Settings,
but you must manually add all entries. This allows you to add a local DNS server to include specific URL and IP address
combinations.
You can set an option to ensure this type of DNS server is not the authoritative server. When configured as a recursive
DNS, the FortiProxy unit will check its internal DNS server (primary or secondary). If the request cannot be fulfilled, it will
look to the external DNS servers. This is known as a split DNS configuration.
To configure DNS servers and zones, go to Network > DNS Service.

Hover over the leftmost edge of the column heading to display the Configure Table icon, which you can use to select the
columns to display or to reset all the columns to their default settings. You can also drag column headings to change
their order.

FortiProxy 7.0 Administration Guide 103

Fortinet Inc.
 Network

From the DNS Service page, you can do the following:

l Create or edit a DNS service on page 104
l Create or edit a DNS zone on page 105

Create or edit a DNS service

To add a DNS service on a specific interface:

1. Go to Network > DNS Service and, under DNS Service on Interface, select Create New.

2. Select an interface.
3. Select Recursive, Non-Recursive, or Forward to System DNS.
4. Enable DNS Filter if you want to use a DNS filter and select the DNS filter to use.
5. Enable DNS over HTTPS if you want to use DNS over HTTPS.
6. Click OK. The new DNS service is added to the table.

To edit a DNS service:

1. Go to Network > DNS Service and, under DNS Service on Interface, select a DNS service.
2. Select Edit.
3. Make your changes.
4. Click OK.

To enable DNS over HTTPS (DoH) on the DNS server in the CLI:

config system dns-server

edit {<DNS_server_name> | <interface_name>}
set dnsfilter-profile {<profile_name> | default}
set doh enable
next
end

FortiProxy 7.0 Administration Guide 104

Fortinet Inc.
 Network

Create or edit a DNS zone

You can create a primary or secondary DNS zone.

To create a primary DNS zone:

1. Go to Network > DNS Service and, under DNS Database, select Create New.

FortiProxy 7.0 Administration Guide 105

Fortinet Inc.
 Network

2. Select Primary for the type of DNS zone.

3. Select the accessibility of the DNS server. If you select Public, external users can use the DNS server. If you select
Shadow, only internal users can use it.
4. Enter a name for the DNS zone.
5. Enter the domain name.
6. Enter the host name of the primary DNS server.
7. Enter the contact email address for the administrator, for example, admin@example.com.
8. Enter how long the DNS zone should exist in days, hours, minutes, and seconds. The maximum time to live (TTL) is
86,400 seconds.
9. Enable Authoritative if you want an authoritative zone.
10. Enter the IP address for the DNS zone forwarder.
11. Select or create a DNS entry. See Create or edit a DNS entry on page 106.
12. Click OK to save your new DNS zone. The new DNS zone is added to the table.

To create a secondary DNS zone:

1. Go to Network > DNS Service and, under DNS Database, select Create New.
2. Select Secondary for the type of DNS zone.
3. Select the accessibility of the DNS server. If you select Public, external users can use the DNS server. If you select
Shadow, only internal users can use it.
4. Enter a name for the DNS zone.
5. Enter the domain name.
6. Enter the IP address of the primary DNS zone.
7. Enable Authoritative if you want an authoritative zone.
8. Enter the IP address for the DNS zone forwarder.
9. Click OK to save your new DNS zone. The new DNS zone is added to the table.

To edit a DNS zone:

1. Go to Network > DNS Service and, under DNS Database, select a DNS zone.
2. Select Edit.
3. Make your changes.
4. Click OK to save your changes.

Create or edit a DNS entry

You can create or edit a DNS entry for the DNS service.

To create a DNS entry:

1. Go to Network > DNS Service and, under DNS Database, select a DNS zone and then click Edit.
2. In the Edit DNS Zone page, select Create New.

FortiProxy 7.0 Administration Guide 106

Fortinet Inc.
Network

3. Select the type of DNS entry, one of Address (A), Name Server (NS), Canonical Name (CNAME), Mail Exchange
(MX), IPv6 Address (AAAA), IPv4 Pointer (PTR), or IPv6 Pointer (PTR).
4. Enter the host name for the DNS entry.
5. Enter the fully qualified domain name for the DNS entry.
6. Enter the IP address for the DNS entry.
7. For the time to live (TTL), select Use Zone TTL or Specify. If you select Specify, enter the number of days, hours,
minutes, and seconds, up to a maximum of 86,400 seconds.
8. Enable or disable Status to make the DNS entry active or inactive.
9. Click OK to save your new DNS entry. The new DNS entry is added to the table.
10. Click OK to save your changes to the DNS zone.

To edit a DNS entry:

1. Go to Network > DNS Service and, under DNS Database, select a DNS zone and then click Edit.
2. Select a DNS entry and then click Edit.
3. In the Edit DNS Entry page, make your changes.
4. Click OK to save your changes to the DNS entry.
5. Click OK to save your changes to the DNS zone.

Packet Capture

You can create a filter on an interface to capture a specified number of packets to examine. Go to Network > Packet
Capture to see existing packet capture filters.

Hover over the leftmost edge of the column heading to display the Configure Table icon, which you can use to select the
columns to display or to reset all the columns to their default settings. You can also drag column headings to change
their order.

FortiProxy 7.0 Administration Guide 107

Fortinet Inc.
 Network

The following options are available:

Create New Creates a new packet capture filter. See Create or edit a packet capture filter on
page 108.

Edit Modifies settings within a packet capture filter.

Clone Copies an existing packet capture filter.

Delete Removes a packet capture filter from the list.

To remove multiple filters, select multiple rows in the list by holding down the Ctrl
or Shift keys and then select Delete.

Search Enter a search term to search the filter list.

Interfaces The interface or port number that the filter will examine.

Host Filter The hosts being examined.

Port Filter The ports being examined.

VLAN Filter The VLANs being examined.

Protocol Filter The protocols being examined.

Packets The number of packets captured.

Max Packet Count The maximum number of packets to collect.

Status Whether the packet capture is running.

To run the capture, select the play button in the progress column in the packet
capture list. If the filter is not active, Not Running is displayed in the column cell.
The progress bar indicates the status of the capture. You can stop and restart it at
any time. When the capture is complete, select the Download icon to save the
packet capture file to your hard disk for further analysis.

Capture IPv6 Whether the capture IPv6 packets has been enabled.

Capture Non-IP Whether the capture of non-IP packets has been enabled.

Create or edit a packet capture filter

Go to Network > Packet Capture to create or edit a packet capture filter.

FortiProxy 7.0 Administration Guide 108

Fortinet Inc.
Network

To create a packet capture filter:

1. Select Create New.

2. Configure the following settings and click OK:

Interface Select an interface.

Maximum Captured Packets Enter how many packets to collect.

Filters Enable Filters, you can create filters for host names, ports, VLAN identifiers,
and protocols. Use commas to separate items. Use a hyphen to specify a
range.

Include Non-IP Packets Select this option if you want to include packets from non-IP protocols.

API Preview The API Preview allows you to view all REST API requests being used by the
page. You can make changes on the page that are reflected in the API request
preview. This feature is not available if the user is logged in as an administrator
that has read-only GUI permissions.

To use the API Preview:

1. Click API Preview. The API Preview pane opens, and the values for the fields are visible (data). If a new object is
being created, the POST request is shown.
2. Enable Show modified changes only to show the modified changes instead of the full configuration in the preview.
3. Click Copy to Clipboard to copy the JSON code shown on the preview screen to the clipboard.
4. Click Close to leave the preview.

To edit a packet capture filter:

1. Select a packet capture filter.

2. Select Edit.
3. Make your changes.
4. Click OK to save your changes.

FortiProxy 7.0 Administration Guide 109

Fortinet Inc.
 Network

Static routes

To see a list of static routes that control the flow of traffic through the unit, go to Network > Static Routing

Hover over the leftmost edge of the column heading to display the Configure Table icon, which you can use to select the
columns to display or to reset all the columns to their default settings. You can also drag column headings to change
their order.
The following options are available:

Create New Creates an IPv4 or IPv6 static route. See Create or edit a static route on page
110.

Edit Modifies settings within the static route. See Create or edit a static route on page
110.

Clone Copies an existing route.

Delete Removes a static route from the list.

To remove multiple static routes, select multiple rows in the list by holding down
the Ctrl or Shift keys and then select Delete.

Search Enter a search term to find in the list.

Destination The destination IP addresses and network masks of packets that the FortiProxy
unit intercepts.

Gateway IP The IP addresses of the next-hop routers to which intercepted packets are
forwarded.

Interface The interface or port number the static route is configured to.

Status The static route is either enabled or disabled.

Comments A description of the route (optional).

Distance The number of hops the static route has to the configured gateway. Routes with
the same distance will be considered as equal-cost multi-path (ECMP)

Priority A number for the priority of the static route. Routes with a larger number will have
a lower priority. Routes with the same priority are considered as ECMP.

Create or edit a static route

Select Create New > IPv4 Static Route or Create New > IPv6 Static Route to open the New Static Route page and create
a static route.

FortiProxy 7.0 Administration Guide 110

Fortinet Inc.
Network

FortiProxy 7.0 Administration Guide 111

Fortinet Inc.
Network

Select a static route and then click Edit to change a static route.
Configure the following settings in the New Static Route page or Edit Static Route page and click OK:

Destination Enter the IPv4 or IPv6 address and netmask of the new static route.

Gateway Address Enter the gateway IP address for those packets that you intend the unit to
intercept.

Interface Select the static routeʼs interface, port number, or Blackhole.

A blackhole route is a route that drops all traffic sent to it. Blackhole routes are
used to dispose of packets instead of responding to suspicious inquiries. This
provides added security since the originator will not discover any information from
the target network. Blackhole routes can also limit traffic on a subnet. If some
subnet addresses are not in use, traffic to those addresses, which may be valid or
malicious, can be directed to a blackhole for added security and to reduce traffic
on the subnet.

FortiProxy 7.0 Administration Guide 112

Fortinet Inc.
 Network

Administrative Distance The administrative distance is used to determine the cost of the route. Smaller
distances are considered as a "better" route that should be used when multiple
paths exist to the same destination. The routes with the same distance are
considered as equal-cost multi-path routing (ECMP).

Comments Enter a description up to 255 characters to describe the new static route.

Status Select Enabled or Disabled to set the status of the new static route.

Advanced Options Click + to show the Priority option.

Priority Enter a number for the priority of the static route. Routes with a larger number
have a lower priority. Routes with the same priority are considered as ECMP.

API Preview The API Preview allows you to view all REST API requests being used by the
page. You can make changes on the page that are reflected in the API request
preview. This feature is not available if the user is logged in as an administrator
that has read-only GUI permissions.

To use the API Preview:

1. Click API Preview. The API Preview pane opens, and the values for the fields are visible (data). If a new object is
being created, the POST request is shown.
2. Enable Show modified changes only to show the modified changes instead of the full configuration in the preview.
3. Click Copy to Clipboard to copy the JSON code shown on the preview screen to the clipboard.
4. Click Close to leave the preview.

Policy routes

Policy routing allows you to specify an interface to route traffic. This is useful when you need to route certain types of
network traffic differently than you would if you were using the routing table. You can use the incoming traffic's protocol,
source or destination address, source interface, or port number to determine where to send the traffic. Policy routes are
sometimes referred to as Policy-based routes (PBR).
When a packet arrives, the FortiProxy starts at the top of the policy route list and attempts to match the packet with a
policy. For a match to be found, the policy must contain enough information to route the packet. At a minimum, this
requires the outgoing interface to forward the traffic, and the gateway to route the traffic to. If one or both of these are not
specified in the policy route, then the FortiProxy searches the routing table to find the best active route that corresponds
to the policy route. If no routes are found in the routing table, then the policy route does not match the packet. The
FortiProxy continues down the policy route list until it reaches the end. If no matches are found, then the FortiProxy does
a route lookup using the routing table.

Configuring a policy route

In this example, a policy route is configured to send all FTP traffic received at port1 out through port3 and to a next hop
router at 10.1.1.1. To route FTP traffic, the protocol is set to TCP (6) and the destination ports are set to 21 (the FTP
port).

FortiProxy 7.0 Administration Guide 113

Fortinet Inc.
Network

To configure a policy route in the GUI:

1. Go to Network > Policy Routes and click Create New.

2. Configure the following fields:

Incoming interface port1

Source Address 0.0.0.0/0.0.0.0

Destination Address 0.0.0.0/0.0.0.0

Protocol TCP

Destination ports 21 - 21

Type of service 0x00

Bit Mask 0x00

Outgoing interface Enable and select port4

Gateway address 10.1.1.1

3. Click OK.

To configure a policy route in the CLI:

config router policy

edit 1
set input-device "port1"
set src "0.0.0.0/0.0.0.0"
set dst "0.0.0.0/0.0.0.0"
set protocol 6
set start-port 21
set end-port 21
set gateway 10.1.1.1
set output-device "port3"

FortiProxy 7.0 Administration Guide 114

Fortinet Inc.
Network

next
end

FortiProxy 7.0 Administration Guide 115

Fortinet Inc.
Policy & Objects

The Policy & Objects menu provides the following options:

l Policy on page 116
l Authentication Rules on page 136
l Proxy Auth Setting on page 145
l Traffic shaping on page 148
l Central SNAT on page 154
l PAC Policy on page 158
l Policy Test on page 161
l Decrypted Traffic Mirror on page 162
l Addresses on page 164
l Internet Service Database on page 175
l Services on page 175
l Schedules on page 184
l Virtual IPs on page 189
l IP Pools on page 194
l ZTNA on page 196

Policy

The policy list displays firewall policies in their order of matching precedence. Firewall policy order affects policy
matching. For details about arranging policies in the policy list, see Change how the policy list is displayed.
You can add firewall policies that match HTTP traffic to be cached according to source and destination addresses and
the destination port of the traffic.
Various right-click menus are available throughout the policy list. The columns displayed in the policy list can be
customized, and filters can be added in a variety of ways to filter the information that is displayed. See Change how the
policy list is displayed.
To view the policy list, go to Policy & Objects > Policy.

FortiProxy 7.0 Administration Guide 116

Fortinet Inc.
Policy & Objects

Hover over the leftmost edge of the column heading to display the Configure Table icon, which you can use to select the
columns to display or to reset all the columns to their default settings. You can also drag column headings to change
their order.
The following options are available:

Create New Add a new policy. New policies are added to the bottom of the list. See Create or
edit a policy on page 121.

Edit Edit the selected policy. See Create or edit a policy on page 121.

Delete Delete the selected policy.

Policy Lookup Find a policy.

Search Enter a search term to find in the policy list.

Interface Pair View/By Select how to view the policy list:

Sequence l Interface Pair View—Displays the policies in the order that they are checked

for matching traffic, grouped by the pairs of Incoming and Outgoing

interfaces. For instance, all of the policies referencing traffic from WAN1 to
DMZ will be in one section. The policies referencing traffic from DMZ to
WAN1 will be in another section. The sections are collapsible so that you only
need to look at the sections with policies you are interested in.
l By Sequence—Displays the policies in the order that they are checked for

matching traffic without any grouping. The FortiProxy unit automatically

changes the view on the policy list page to By Sequence whenever there is a
policy containing the any interface. If the Interface Pair View is grayed out,
one or more of the policies is using the any interface.

Type The type of policy, such as Explicit Web, Transparent, or SSH Tunnel. See Policy
types on page 123.

Name The name of the policy.

Incoming Interface The incoming interface or interfaces.

Outgoing Interface The outgoing interface or interfaces.

Source The source is the source address or source user of the initiating traffic.

Destination The destination address or address range that the policy matches. For more
information, see Web cache policy address formats on page 120.

Schedule The time frame that is applied to the policy. See Schedules on page 184.

Service The service or services chosen here represent the TCP/IP suite port numbers that
will most commonly be used to transport the named protocols or group of
protocols. See Services on page 175.

Action The action to be taken by the policy, such as ACCEPT, DENY, REDIRECT, or
ISOLATE.

Security Profiles All the profiles used by the policy, such as AntiVirus, Web Filter, DLP Sensor,
ICAP, SSL Inspection, and Content Analysis options. See Security Profiles on
page 220.

Log The logging level of the policy. Options vary depending on the policy type.

FortiProxy 7.0 Administration Guide 117

Fortinet Inc.
Policy & Objects

Bytes The number of bytes.

Active Sessions The number of active sessions.

Application Control What action is taken when an application matches.

AV The antivirus profile used by the policy. See AntiVirus on page 223.

Comments Comments about the policy (up to 1023 characters).

Destination Address The destination addresses that the policy matches. The destination address can
be used as a traffic filter.

DNS Filter The DNS filter profile used by the policy. See DNS Filter on page 242.

Email Filter The email filter profile used by the policy. See Email Filter on page 259.

Enforce ZTNA Whether Zero Trust Network Access (ZTNA) is enabled or disabled. See ZTNA on
page 196.

File Filter The file filter profile used by the policy. See File Filter on page 256.

First Used When the policy was first used.

Groups Which groups the policy matches.

Hit Count Number of results found.

ICAP The ICAP profile used by the policy. See Create or edit an ICAP profile on page
304.

ID The policy identifier. Policies are numbered in the order they are added to the
configuration.

IPS Which IPS signatures the policy uses.

Last Used When the policy was last used.

Packets The number of packets.

Protocol Options The proxy options profile used by the policy. See Proxy Options on page 73.

Source Address The addresses that a policy can receive traffic from. For more information, see
Web cache policy address formats on page 120.

SSL Inspection The SSL/SSH inspection options used by the policy. See SSL/SSH Inspection on
page 266.

Status Select to enable a policy or clear to disable a policy. A disabled policy is out of
service.

Users Which users the policy matches.

Video Filter The video filter profile used by the policy. See Video Filter on page 239.

VPN Tunnel The VPN tunnel used by the policy. See VPN on page 344.

Web Application Firewall The web application firewall profile used by the policy. See Web Application
Firewall on page 262.

Web Filter The web filter profile used by the policy. See Web Filter on page 230.

FortiProxy 7.0 Administration Guide 118

Fortinet Inc.
 Policy & Objects

ZTNA Tag The ZTNA tags used in the ZTNA rule that is used by the policy. See ZTNA on
page 196.

Change how the policy list is displayed

Policies can be added, edited, copied and pasted, moved, and deleted. To help organize your policies, you can also
create sections to group policies together.
Policies can be inserted above or below existing policies and can also be disabled if needed.
The displayed policies can be filtered by either using the search field in the toolbar or by selecting the filter icon in a
column heading. The available filter options vary depending on the type of data that the selected column contains.

How list order affects policy matching

The FortiProxy unit uses the first-matching technique to select which policy to apply to a communication session.
When policies have been added, each time the FortiProxy unit accepts a communication session, it then searches the
policy list for a matching policy. Matching policies are determined by comparing the policy with the session source and
destination addresses and the destination port. The search begins at the top of the policy list and progresses in order
towards the bottom. Each policy in the policy list is compared with the communication session until a match is found.
When the FortiProxy unit finds the first matching policy, it applies that policy and disregards subsequent policies.
If no policy matches, the session is accepted.
As a general rule, you should order the policy list from most specific to most general because of the order in which
policies are evaluated for a match and because only the first matching policy is applied to a session. Subsequent
possible matches are not considered or applied.
NOTE: Ordering policies from most specific to most general prevents policies that match a wide range of traffic from
superseding and effectively masking policies that match exceptions.

Policy rules and authentication rules

Policy rules control what a user or user group can do. Authentication rules define how to authenticate a user. If a policy
without a user group matches the type of traffic, authentication is not used because the user group was not specified in
the policy.
For example, if a policy rule involving an explicit proxy has the Source field specifying an LDAP-based user group, any
other policy rule referencing the explicit proxy is only matched if its Source field also specifies an LDAP-based group.

Move a policy

When more than one policy has been defined, the first matching policy is applied to the traffic session. You can arrange
the policy list to influence the order in which policies are evaluated for matches with incoming traffic. See How list order
affects policy matching on page 119 for more information.
NOTE: Moving a policy in the policy list does not change its ID, which only indicates the order in which the policies were
created.

FortiProxy 7.0 Administration Guide 119

Fortinet Inc.
 Policy & Objects

To move a policy, click and drag the name to a new location. You can also move a policy by cutting and pasting it into a
new location.

Copy and paste a policy

Policies can be copied and pasted to create clones. Right-click on the policy name and then select Copy from the pop-up
menu. Right-click in the policy name that the new clone policy will be placed next to and select Paste Above or Paste
Below to insert the new policy before or after the selected policy.

Policy lookup

Firewall policy lookup is based on the Source_interfaces/Protocol/Source_Address/Destination_

Address that matches the source-port and dst-port of the protocol. Use this tool to find out which policy matches
specific traffic from a number of policies. After completing the lookup, the matching firewall policy is highlighted on the
policy list page.
The Policy Lookup tool has the following requirements:
l Transparent mode does not support Policy lookup function.
l When executing the policy lookup, you need to confirm whether the relevant route required for the policy work
already exists.

To use the policy lookup:

1. Go to Policy & Objects > Policy, click Policy Lookup.

2. Select the incoming interface.
3. Select IPv4 or IPv6 for the IP version.
4. Enter the protocol number.
5. Enter the source IP address.
6. Enter the destination IP address or fully qualified domain name.
7. Click Search to display the policy lookup results.

Web cache policy address formats

A source or destination address can contain one or more network addresses. Network addresses can be represented by
an IP address with a netmask or an IP address range.
When representing hosts by an IP address with a netmask, the IP address can represent one or more hosts. For
example, a source or destination address can be any of the following:
l a single computer, for example, 192.45.46.45
l a subnetwork, for example, 192.168.1.* for a class C subnet
l 0.0.0.0 matches any IP address

FortiProxy 7.0 Administration Guide 120

Fortinet Inc.
 Policy & Objects

The netmask corresponds to the subnet class of the address being added and can be represented in either dotted
decimal or CIDR format. The FortiProxy unit automatically converts CIDR-formatted netmasks to dotted decimal format.
Example formats:
l netmask for a single computer: 255.255.255.255 or /32
l netmask for a class A subnet: 255.0.0.0 or /8
l netmask for a class B subnet: 255.255.0.0 or /16
l netmask for a class C subnet: 255.255.255.0 or /24
l netmask including all IP addresses: 0.0.0.0
Valid IP address and netmask formats include:
l x.x.x.x/x.x.x.x, such as 192.168.1.0/255.255.255.0
l x.x.x.x/x, such as 192.168.1.0/24

An IP address 0.0.0.0 with the netmask 255.255.255.255 is not a valid source or

destination address.

When representing hosts by an IP address range, the range indicates hosts with continuous IP addresses in a subnet,
such as 192.168.1.[2-10], or 192.168.1.*, to indicate the complete range of hosts on that subnet. You can also
indicate the complete range of hosts on a subnet by entering 192.168.1.[0-255] or 192.168.1.0-
192.168.1.255. Valid IP range formats include:
l x.x.x.x-x.x.x.x, for example, 192.168.110.100-192.168.110.120
l x.x.x.[x-x], for example, 192.168.110.[100-120]
l x.x.x.*, for a complete subnet, for example: 192.168.110.*
l x.x.x.[0-255] for a complete subnet, such as 192.168.110.[0-255]
l x.x.x.0 -x.x.x.255 for a complete subnet, such as 192.168.110.0 - 192.168.110.255

You cannot use square brackets [ ] or asterisks * when adding addresses to the CLI. Instead
you must enter the start and end addresses of the subnet range separated by a dash -. For
example, 192.168.20.0-192.168.20.255 for a complete subnet and 192.168.10.10-
192.168.10.100 for a range of addresses.

Create or edit a policy

New policies can be created by selecting Create New in the toolbar. By default, the new policy appears at the bottom of
the policy list. New policies can also be created above or below an existing policy by right-clicking a policy name and
selecting Insert Empty Policy Above or Insert Empty Policy Below or by copying or cutting an existing policy and then
selecting Paste Above or Paste Below from the right-click menu.

FortiProxy 7.0 Administration Guide 121

Fortinet Inc.
Policy & Objects

FortiProxy 7.0 Administration Guide 122

Fortinet Inc.
Policy & Objects

Editing a policy

Policy information can be edited as required in four ways:

l By double-clicking on the sequence number of a policy or the policy name in the policy list
l By selecting a policy and then selecting Edit from the toolbar
l By hovering over the policy name and then selecting Edit (the pencil icon)
l By right-clicking on the sequence number of the policy or the policy name and selecting Edit from the right-click
menu
The editing window for regular policies contains the same information as when creating new policies.

Policy types

There are six types of policies:

l Explicit—for an explicit web proxy policy.
Use an explicit web proxy policy if you want to use the explicit web proxy.
You can use the FortiProxy explicit web proxy to enable explicit proxying of IPv4 and IPv6 HTTP, and HTTPS traffic
on one or more FortiProxy interfaces. The explicit web proxy also supports proxying FTP sessions from a web
browser and proxy auto-config (PAC) to provide automatic proxy configurations for explicit web proxy users. From
the CLI, you can also configure the explicit web proxy to support SOCKS sessions from a web browser.
The explicit web and FTP proxies can be operating at the same time on the same or on different FortiProxy
interfaces.
The explicit web proxy receives web browser sessions to be proxied at FortiProxy interfaces with the explicit web
proxy enabled. The explicit web proxy uses FortiProxy routing to route sessions through the FortiProxy unit to a
destination interface. Before a session leaves the exiting interface, the explicit web proxy changes the source
addresses of the session packets to the IP address of the exiting interface. You can configure the explicit web proxy
to keep the original client IP address.
l Transparent—for a transparent firewall policy.
Use a transparent firewall policy if you want to use the transparent web proxy.
In addition to the explicit web proxy, the FortiProxy unit supports a transparent web proxy. While it does not have as
many features as explicit web proxy, the transparent proxy has the advantage that nothing needs to be done on the
userʼs system to forward supported web traffic over to the proxy. There is no need to reconfigure the browser or
publish a PAC file. Everything is transparent to the end user, hence the name. This makes it easier to incorporate
new users into a proxy deployment.
You can use the transparent proxy to apply web authentication to HTTP traffic accepted by a firewall policy.
On networks where authentication based on IP address will not work, you can use the transparent web proxy to
apply web authentication that is based on the userʼs browser and not on their IP address. This authentication
method allows you to identify individual users even if multiple users on your network are connecting to the
FortiProxy unit from the same IP address.
l FTP—for an explicit FTP proxy policy.
Use an explicit FTP proxy policy if you want to use the explicit FTP proxy.
You can use the FortiProxy explicit FTP proxy to enable explicit FTP proxying on one or more FortiProxy interfaces.
The explicit web and FTP proxies can be operating at the same time on the same or on different FortiProxy
interfaces.
The FTP proxy receives FTP sessions to be proxied at FortiProxy interfaces with the explicit FTP proxy enabled.
The FTP proxy uses FortiProxy routing to route sessions through the FortiProxy unit to a destination interface.

FortiProxy 7.0 Administration Guide 123

Fortinet Inc.
Policy & Objects

Before a session leaves the exiting interface, the explicit FTP proxy changes the source addresses of the session
packets to the IP address of the exiting interface.
l SSH Tunnel—to perform access control for TCP/IP port forwarding traffic that is tunneled through the SSH proxy.
l SSH Proxy—to apply a proxy firewall policy with user authentication on SSH sessions.
l Wanopt—for a WAN optimization tunnel.
All optimized traffic passes between the FortiProxy units or between a FortiClient peer and a FortiProxy unit over a
WAN optimization tunnel. Traffic in the tunnel can be sent in plain text or encrypted using AES-128bit-CBC SSL.
Both plain text and the encrypted tunnels use TCP destination port 7810.
Before a tunnel can be started, the peers must be configured to authenticate with each other. Then, the clientside
peer attempts to start a WAN optimization tunnel with the server-side peer. Once the peers authenticate with each
other, they bring up the tunnel and WAN optimization communication over the tunnel starts. After a tunnel has been
established, multiple WAN optimization sessions can start and stop between peers without restarting the tunnel.

Configuring a policy

To configure an explicit policy:

Type Select Explicit. See Policy types.

Name Enter a unique name for the new policy. Names can be changed later.

Explicit Web Proxy If you selected Explicit for the policy type, select web-proxy or search for a policy.
To create an explicit proxy policy, see Create or edit an explicit web proxy on page
51.

Outgoing Interface Click +. A window slides out from the right where you can select from the available
interfaces. You can select one or more specific interfaces, or you can select any.
Selecting any removes the other interfaces.

Source Click +. A window slides out from the right where you can select from the available
sources.
You can select source proxy addresses, source IPv4 addresses, source IPv6
addresses, source users, or source user groups. NOTE: You can mix IPv4 and
IPv6 addresses.
When the field is selected, a window slides out from the right. Address, IPv6
Address, and User tabs categorize the options. Click Create to create a source.

Destination Click +. A window slides out from the right where you can select from the available
destinations.
You can select destination proxy addresses, destination IPv4 addresses,
destination IPv6 addresses, and destination Internet services. NOTE: You can
mix IPv4 and IPv6 addresses.

Negate Destination Enable to use all destinations except the ones specified in the Destination field.

Schedule Select a schedule from the drop-down list. Select Create to create a schedule.
For more information, see Schedules on page 184.

Service Select a service or service group that packets must match to trigger this policy.
Select Create to create a service list. See Services on page 175.

FortiProxy 7.0 Administration Guide 124

Fortinet Inc.
Policy & Objects

You can add multiple services or service groups.

Action Select how you want the policy to respond when a packet matches the conditions
of the policy. The options available will change depending on this selection.
l ACCEPT—Accept traffic matched by the policy.

l DENY—Reject traffic matched by the policy.

l REDIRECT—Redirect traffic matched by the policy to the URL specified in
the Redirect URL field.
l ISOLATE—Isolate traffic matched by the policy to the isolator server
selected in the Isolator Server drop-down list.

Web Cache Enable or disable web caching.

Reverse Cache Enable to use reverse proxy web caching.

This option is available only if the Action is Accept and Web Cache is enabled.

Web Cache For HTTPS Traffic Enable or disable web caching for HTTPS traffic.

Transparent Enable or disable transparent proxy.

Poolname If you configured an IP pool, enable this option and then select the IP pool from
the drop-down list.

Webproxy Profile If you configured a web proxy profile, enable this option and then select the web
proxy profile from the drop-down list. See Web Proxy Profile on page 57.

Web Proxy Forwarding Server If you configured a web proxy forwarding server, enable this option and then
select a server from the drop-down list. See Create or edit a forwarding server on
page 63.

Protocol Options Select the proxy options profilefor the policy to use. See Proxy Options on page
73.

SSL/SSH Inspection The SSL/SSH inspection options used by the policy. See SSL/SSH Inspection on
page 266.

Display Disclaimer If you want to display a disclaimer about Internet content that is not controlled by
the network access provider, select By Domain, By Policy, or By User.
This option is available only if Action is set to ACCEPT.

Customize Messages Enable and then edit the existing message or create a message.
This option is available only if Display Disclaimer is set to By Domain, By Policy,
or By User.

Security Profiles Select the security profiles to apply to the policy.

These options are available only if Action is set to ACCEPT.

AntiVirus Enable the antivirus profile and select or create a profile from the drop-down list.
See AntiVirus on page 223.

Web Filter Enable the web filter profile and select or create a profile from the drop-down list.
See Web Filter on page 230.

FortiProxy 7.0 Administration Guide 125

Fortinet Inc.
Policy & Objects

Application Control Enable the application sensor and select or create a sensor from the drop-down
list. See Create or edit an application sensor on page 248.

IPS Enable the IPS sensor and select or create a sensor from the drop-down list. See
Create or edit an IPS sensor on page 253.

DLP Sensor Enable DLP sensors and select or create a sensor from the drop-down list. See
Data Leak Prevention on page 287.

Content Analysis Enable the Content Analysis profile and select or create a profile from the drop-
down list. See Create or edit an Image Analysis profile on page 301.

ICAP Enable the ICAP profile and select or create a profile from the drop-down list. See
Create or edit an ICAP profile on page 304.

Log Allowed Traffic Enable and then select Security Events or All Sessions.
This option is available only if Action is set to ACCEPT, REDIRECT, or ISOLATE.

Generate Logs when Session Enable or disable logging when the session starts.
Starts

Log HTTP Transaction Enable or disable the logging of HTTP transactions.

Comments Enter a description up to 1,023 characters to describe the policy.

Enable this policy Enable to use this policy.

Enable Policy Matching Pass Enable to make the policy a pass-through policy. Disabled by default.
Through When traffic matches a pass-through policy, the firewall continues to the next
policy. After FortiProxy tries to match all policies, it will set the last matched pass-
through policy as the matched policy.

Enable SSH policy check Enable or disable whether to redirect SSH traffic to the matching proxy policy. See
SSH policy matching on page 135.

To configure a transparent policy:

Type Select Transparent. See Policy types.

Name Enter a unique name for the new policy. Names can be changed later.

ZTNA Enable or disable Zero Trust Network Access (ZTNA). If you enable ZTNA, select
whether to use Full ZTNA or IP/MAC filtering.
l Full ZTNA allows users to securely access resources through a SSL

encrypted access proxy. This simplifies remote access by eliminating the use
of VPNs.
l IP/MAC filtering uses ZTNA tags to provide an additional factor for
identification and security posture check to implement role-based zero trust
access.

ZTNA Server Select one or more ZTNA servers to use.

ZTNA Tag Select one or more ZTNA tags to use.

FortiProxy 7.0 Administration Guide 126

Fortinet Inc.
Policy & Objects

Incoming Interface Click +. A window slides out from the right where you can select from the available
interfaces. You can select one or more specific interfaces, or you can select any.
Selecting any removes the other interfaces.

Outgoing Interface Click +. A window slides out from the right where you can select from the available
interfaces. You can select one or more specific interfaces, or you can select any.
Selecting any removes the other interfaces.

Source Click +. A window slides out from the right where you can select from the available
sources.
You can select source proxy addresses, source IPv4 addresses, source IPv6
addresses, source users, or source user groups. NOTE: You can mix IPv4 and
IPv6 addresses.
When the field is selected, a window slides out from the right. Address, IPv6
Address, and User tabs categorize the options. Click Create to create a source.

Destination Click +. A window slides out from the right where you can select from the available
destinations.
You can select destination proxy addresses, destination IPv4 addresses,
destination IPv6 addresses, and destination Internet services. NOTE: You can
mix IPv4 and IPv6 addresses.

Negate Destination Enable to use all destinations except the ones specified in the Destination field.

Schedule Select a schedule from the drop-down list. Click Create to create a schedule. For
more information, see Schedules on page 184.

Service Select a service or service group that packets must match to trigger this policy.
Click Create to create a service list. See Services on page 175.
You can add multiple services or service groups.

Action Select how you want the policy to respond when a packet matches the conditions
of the policy. The options available will change depending on this selection.
l ACCEPT—Accept traffic matched by the policy.

l DENY—Reject traffic matched by the policy.

l REDIRECT—Redirect traffic matched by the policy to the URL specified in
the Redirect URL field.
l ISOLATE—Isolate traffic matched by the policy to the isolator server
selected in the Isolator Server drop-down list.

Web Cache Enable or disable web caching.

Reverse Cache Enable to use reverse proxy web caching.

This option is available only if the Action is Accept and Web Cache is enabled.

Web Cache For HTTPS Traffic Enable or disable web caching for HTTPS traffic.

Status Enable or disable WAN optimization for traffic accepted by the policy. If Status is
enabled, select Active, Passive, or Manual.

FortiProxy 7.0 Administration Guide 127

Fortinet Inc.
Policy & Objects

Profiles If you enabled Status and selected Active or Manual WAN optimization, select a
profile to use for WAN optimization. SeeCreate or edit a WAN optimization profile
on page 316.

Passive Option If you enabled Status and selected Passive WAN optimization, select Default,
Non-transparent, or Transparent.

Peers If you enabled Status and selected Manual WAN optimization, select a WAN peer.
See Create or edit a WAN optimization peer on page 320.

Scan Outgoing Connections Select Disable or Block to protect from botnet and command-and-control traffic.
to Botnet Sites

Webproxy Profile If you configured a web proxy profile, enable this option and then select the web
proxy profile from the drop-down list. See Web Proxy Profile on page 57.

Web Proxy Forwarding Server If you configured a web proxy forwarding server, enable this option and then
select a server from the drop-down list. See Create or edit a forwarding server on
page 63.

Force Proxy Enable or disable whether proxying will be forced.

Protocol Options Select the proxy options profilefor the policy to use. See Proxy Options on page
73.

SSL/SSH Inspection The SSL/SSH inspection options used by the policy. See SSL/SSH Inspection on
page 266.

Display Disclaimer If you want to display a disclaimer about Internet content that is not controlled by
the network access provider, select By Domain, By Policy, or By User.
This option is available only if Action is set to ACCEPT.

Customize Messages Enable and then edit the existing message or create a message.
This option is available only if Display Disclaimer is set to By Domain, By Policy,
or By User.

Security Profiles Select the security profiles to apply to the policy.

These options are available only if Action is set to ACCEPT.

AntiVirus Enable the antivirus profile and select or create a profile from the drop-down list.
See AntiVirus on page 223.

Web Filter Enable the web filter profile and select or create a profile from the drop-down list.
See Web Filter on page 230.

DNS Filter Enable the DNS filter profile and select or create a profile from the drop-down list.
See DNS Filter on page 242.

Application Control Enable the application sensor and select or create a sensor from the drop-down
list. See Create or edit an application sensor on page 248.

IPS Enable the IPS sensor and select or create a sensor from the drop-down list. See
Create or edit an IPS sensor on page 253.

FortiProxy 7.0 Administration Guide 128

Fortinet Inc.
Policy & Objects

DLP Sensor Enable DLP sensors and select or create a sensor from the drop-down list. See
Data Leak Prevention on page 287.

Content Analysis Enable the Content Analysis profile and select or create a profile from the drop-
down list. See Create or edit an Image Analysis profile on page 301.

ICAP Enable the ICAP profile and select or create a profile from the drop-down list. See
Create or edit an ICAP profile on page 304.

Log Allowed Traffic Enable and then select Security Events or All Sessions.
This option is available only if Action is set to ACCEPT, REDIRECT, or ISOLATE.

Generate Logs when Session Enable or disable logging when the session starts.
Starts

Log HTTP Transaction Enable or disable the logging of HTTP transactions.

Comments Enter a description up to 1,023 characters to describe the policy.

Enable this policy Enable to use this policy.

Enable Policy Matching Pass Enable to make the policy a pass-through policy. Disabled by default.
Through When traffic matches a pass-through policy, the firewall continues to the next
policy. After FortiProxy tries to match all policies, it will set the last matched pass-
through policy as the matched policy.

Enable SSH policy check Enable or disable whether to redirect SSH traffic to the matching proxy policy. See
SSH policy matching on page 135.

To configure an FTP policy:

Type Select FTP. See Policy types.

Name Enter a unique name for the new policy. Names can be changed later.

Outgoing Interface Click +. A window slides out from the right where you can select from the available
interfaces. You can select one or more specific interfaces, or you can select any.
Selecting any removes the other interfaces.

Source Click +. A window slides out from the right where you can select from the available
sources.
You can select source proxy addresses, source IPv4 addresses, source IPv6
addresses, source users, or source user groups. NOTE: You can mix IPv4 and
IPv6 addresses.
When the field is selected, a window slides out from the right. Address, IPv6
Address, and User tabs categorize the options. Click Create to create a source.

Destination Click +. A window slides out from the right where you can select from the available
destinations.
You can select destination proxy addresses, destination IPv4 addresses,
destination IPv6 addresses, and destination Internet services. NOTE: You can
mix IPv4 and IPv6 addresses.

FortiProxy 7.0 Administration Guide 129

Fortinet Inc.
Policy & Objects

Negate Destination Enable to use all destinations except the ones specified in the Destination field.

Schedule Select a schedule from the drop-down list. Select Create to create a schedule. For
more information, see Schedules on page 184.

Action Select how you want the policy to respond when a packet matches the conditions
of the policy. The options available will change depending on this selection.
l ACCEPT—Accept traffic matched by the policy.

l DENY—Reject traffic matched by the policy.

Security Profiles Select the security profiles to apply to the policy.

These options are available only if Action is set to ACCEPT.

AntiVirus Enable the antivirus profile and select or create a profile from the drop-down list.
See AntiVirus on page 223.

IPS Enable the IPS sensor and select or create a sensor from the drop-down list. See
Create or edit an IPS sensor on page 253.

DLP Sensor Enable DLP sensors and select or create a sensor from the drop-down list. See
Data Leak Prevention on page 287.

Log Allowed Traffic Enable and then select Security Events or All Sessions.
This option is available only if Action is set to ACCEPT.

Generate Logs when Session Enable or disable logging when the session starts.
Starts

Comments Enter a description up to 1,023 characters to describe the policy.

Enable this policy Enable to use this policy.

Enable Policy Matching Pass Enable to make the policy a pass-through policy. Disabled by default.
Through When traffic matches a pass-through policy, the firewall continues to the next
policy. After FortiProxy tries to match all policies, it will set the last matched pass-
through policy as the matched policy.

To configure an SSH tunnel policy:

Type Select SSH Tunnel. See Policy types.

Name Enter a unique name for the new policy. Names can be changed later.

Incoming Interface Click +. A window slides out from the right where you can select from the available
interfaces. You can select one or more specific interfaces, or you can select any.
Selecting any removes the other interfaces.

Outgoing Interface Click +. A window slides out from the right where you can select from the available
interfaces. You can select one or more specific interfaces, or you can select any.
Selecting any removes the other interfaces.

Source Click +. A window slides out from the right where you can select from the available
sources.

FortiProxy 7.0 Administration Guide 130

Fortinet Inc.
Policy & Objects

You can select source proxy addresses, source IPv4 addresses, source IPv6
addresses, source users, or source user groups. NOTE: You can mix IPv4 and
IPv6 addresses.
When the field is selected, a window slides out from the right. Address, IPv6
Address, and User tabs categorize the options. Click Create to create a source.

Destination Click +. A window slides out from the right where you can select from the available
destinations.
You can select destination proxy addresses, destination IPv4 addresses,
destination IPv6 addresses, and destination Internet services. NOTE: You can
mix IPv4 and IPv6 addresses.

Negate Destination Enable to use all destinations except the ones specified in the Destination field.

Schedule Select a schedule from the drop-down list. Click Create to create a schedule. For
more information, see Schedules on page 184.

Service Select a service or service group that packets must match to trigger this policy.
Click Create to create a service list. See Services on page 175.
You can add multiple services or service groups.

Action Select how you want the policy to respond when a packet matches the conditions
of the policy. The options available will change depending on this selection.
l ACCEPT—Accept traffic matched by the policy.

l DENY—Reject traffic matched by the policy.

Security Profiles Select the security profiles to apply to the policy.

These options are available only if Action is set to ACCEPT.

Application Control Enable the application sensor and select or create a sensor from the drop-down
list. See Create or edit an application sensor on page 248.

IPS Enable the IPS sensor and select or create a sensor from the drop-down list. See
Create or edit an IPS sensor on page 253.

Logging Options This section is available only if Action is set to ACCEPT.

Log Allowed Traffic Enable and then select Security Events or All Sessions.
This option is available only if Action is set to ACCEPT.

Generate Logs when Session Enable or disable logging when the session starts.
Starts

Comments Enter a description up to 1,023 characters to describe the policy.

Enable this policy Enable to use this policy.

Enable Policy Matching Pass Enable to make the policy a pass-through policy. Disabled by default.
Through When traffic matches a pass-through policy, the firewall continues to the next
policy. After FortiProxy tries to match all policies, it will set the last matched pass-
through policy as the matched policy.

FortiProxy 7.0 Administration Guide 131

Fortinet Inc.
Policy & Objects

To configure an SSH proxy policy:

Type Select SSH Proxy. See Policy types.

Name Enter a unique name for the new policy. Names can be changed later.

Outgoing Interface Click +. A window slides out from the right where you can select from the available
interfaces. You can select one or more specific interfaces, or you can select any.
Selecting any removes the other interfaces.

Source Click +. A window slides out from the right where you can select from the available
sources.
You can select source proxy addresses, source IPv4 addresses, source IPv6
addresses, source users, or source user groups. NOTE: You can mix IPv4 and
IPv6 addresses.
When the field is selected, a window slides out from the right. Address, IPv6
Address, and User tabs categorize the options. Click Create to create a source.

Destination Click +. A window slides out from the right where you can select from the available
destinations.
You can select destination proxy addresses, destination IPv4 addresses,
destination IPv6 addresses, and destination Internet services. NOTE: You can
mix IPv4 and IPv6 addresses.

Negate Destination Enable to use all destinations except the ones specified in the Destination field.

Schedule Select a schedule from the drop-down list. Click Create to create a schedule. For
more information, see Schedules on page 184.

Action Select how you want the policy to respond when a packet matches the conditions
of the policy. The options available will change depending on this selection.
l ACCEPT—Accept traffic matched by the policy.

l DENY—Reject traffic matched by the policy.

Security Profiles Select the security profiles to apply to the policy.

These options are available only if Action is set to ACCEPT.

Application Control Enable the application sensor and select or create a sensor from the drop-down
list. See Create or edit an application sensor on page 248.

IPS Enable the IPS sensor and select or create a sensor from the drop-down list. See
Create or edit an IPS sensor on page 253.

Logging Options This section is available only if Action is set to ACCEPT.

Log Allowed Traffic Enable and then select Security Events or All Sessions.
This option is available only if Action is set to ACCEPT.

Generate Logs when Session Enable or disable logging when the session starts.
Starts

Comments Enter a description up to 1,023 characters to describe the policy.

Enable this policy Enable to use this policy.

FortiProxy 7.0 Administration Guide 132

Fortinet Inc.
Policy & Objects

Enable Policy Matching Pass Enable to make the policy a pass-through policy. Disabled by default.
Through When traffic matches a pass-through policy, the firewall continues to the next
policy. After FortiProxy tries to match all policies, it will set the last matched pass-
through policy as the matched policy.

To configure a WAN-optimization tunnel policy:

Type Select Wanopt. See Policy types.

Name Enter a unique name for the new policy. Names can be changed later.

Outgoing Interface Click +. A window slides out from the right where you can select from the available
interfaces. You can select one or more specific interfaces, or you can select any.
Selecting any removes the other interfaces.

Source Click +. A window slides out from the right where you can select from the available
sources.
You can select source proxy addresses, source IPv4 addresses, source IPv6
addresses, source users, or source user groups. NOTE: You can mix IPv4 and
IPv6 addresses.
When the field is selected, a window slides out from the right. Address, IPv6
Address, and User tabs categorize the options. Click Create to create a source.

Destination Click +. A window slides out from the right where you can select from the available
destinations.
You can select destination proxy addresses, destination IPv4 addresses,
destination IPv6 addresses, and destination Internet services. NOTE: You can
mix IPv4 and IPv6 addresses.

Negate Destination Enable to use all destinations except the ones specified in the Destination field.

Schedule Select a schedule from the drop-down list. Click Create to create a schedule. For
more information, see Schedules on page 184.

Service Select a service or service group that packets must match to trigger this policy.
Click Create to create a service list. See Services on page 175.
You can add multiple services or service groups.

Action Select how you want the policy to respond when a packet matches the conditions
of the policy. The options available will change depending on this selection.
l ACCEPT—Accept traffic matched by the policy.

l DENY—Reject traffic matched by the policy.

Web Cache Enable or disable web caching.

Reverse Cache Enable to use reverse proxy web caching.

This option is available only if the Action is Accept and Web Cache is enabled.

Web Cache For HTTPS Traffic Enable or disable web caching for HTTPS traffic.

Security Profiles Select the security profiles to apply to the policy.

These options are available only if Action is set to ACCEPT.

FortiProxy 7.0 Administration Guide 133

Fortinet Inc.
Policy & Objects

AntiVirus Enable the antivirus profile and select or create a profile from the drop-down list.
See AntiVirus on page 223.

Web Filter Enable the web filter profile and select or create a profile from the drop-down list.
See Web Filter on page 230.

Application Control Enable the application sensor and select or create a sensor from the drop-down
list. See Create or edit an application sensor on page 248.

IPS Enable the IPS sensor and select or create a sensor from the drop-down list. See
Create or edit an IPS sensor on page 253.

DLP Sensor Enable DLP sensors and select or create a sensor from the drop-down list. See
Data Leak Prevention on page 287.

Content Analysis Enable the Content Analysis profile and select or create a profile from the drop-
down list. See Create or edit an Image Analysis profile on page 301.

Log Allowed Traffic Enable and then select Security Events or All Sessions.
This option is available only if Action is set to ACCEPT.

Generate Logs when Session Enable or disable logging when the session starts.
Starts

Comments Enter a description up to 1,023 characters to describe the policy.

Enable this policy Enable to use this policy.

Enable Policy Matching Pass Enable to make the policy a pass-through policy. Disabled by default.
Through When traffic matches a pass-through policy, the firewall continues to the next
policy. After FortiProxy tries to match all policies, it will set the last matched pass-
through policy as the matched policy.

Web cache policy address formats

A source or destination address can contain one or more network addresses. Network addresses can be represented by
an IP address with a netmask or an IP address range.
When representing hosts by an IP address with a netmask, the IP address can represent one or more hosts. For
example, a source or destination address can be any of the following:
l a single computer, for example, 192.45.46.45
l a subnetwork, for example, 192.168.1.* for a class C subnet
l 0.0.0.0 matches any IP address
The netmask corresponds to the subnet class of the address being added and can be represented in either dotted
decimal or CIDR format. The FortiProxy unit automatically converts CIDR-formatted netmasks to dotted decimal format.
Example formats:
l netmask for a single computer: 255.255.255.255 or /32
l netmask for a class A subnet: 255.0.0.0 or /8
l netmask for a class B subnet: 255.255.0.0 or /16
l netmask for a class C subnet: 255.255.255.0 or /24
l netmask including all IP addresses: 0.0.0.0
Valid IP address and netmask formats include:

FortiProxy 7.0 Administration Guide 134

Fortinet Inc.
 Policy & Objects

l x.x.x.x/x.x.x.x, such as 192.168.1.0/255.255.255.0

l x.x.x.x/x, such as 192.168.1.0/24

An IP address 0.0.0.0 with the netmask 255.255.255.255 is not a valid source or

destination address.

When representing hosts by an IP address range, the range indicates hosts with continuous IP addresses in a subnet,
such as 192.168.1.[2-10], or 192.168.1.*, to indicate the complete range of hosts on that subnet. You can also
indicate the complete range of hosts on a subnet by entering 192.168.1.[0-255] or 192.168.1.0-
192.168.1.255. Valid IP range formats include:
l x.x.x.x-x.x.x.x, for example, 192.168.110.100-192.168.110.120
l x.x.x.[x-x], for example, 192.168.110.[100-120]
l x.x.x.*, for a complete subnet, for example: 192.168.110.*
l x.x.x.[0-255] for a complete subnet, such as 192.168.110.[0-255]
l x.x.x.0 -x.x.x.255 for a complete subnet, such as 192.168.110.0 - 192.168.110.255

You cannot use square brackets [ ] or asterisks * when adding addresses to the CLI. Instead
you must enter the start and end addresses of the subnet range separated by a dash -. For
example, 192.168.20.0-192.168.20.255 for a complete subnet and 192.168.10.10-
192.168.10.100 for a range of addresses.

Device ownership

When device ownership is enabled, ownership enforcement is done at policy level. It is disabled by default.

To enable device ownership:

config firewall policy

edit 2
set ztna-status enable
set ztna-ems-tag "FCTEMS_ALL_FORTICLOUD_SERVERS"
set device-ownership enable
...
next
end

SSH policy matching

SSH policy check is disabled by default, and can be enabled in transparent and explicit-web policies. When it is enabled,
SSH policy matching will only match the SSH policy.
The SSH Policy Redirect (ssh-policy-redirect) command is no longer available.

To configure SSH policy check in the CLI:

config firewall policy

edit <policy>

FortiProxy 7.0 Administration Guide 135

Fortinet Inc.
Policy & Objects

set ssh-policy-check {disable | enable}

next
end

To configure SSH policy check in the CLI:

1. Go to Policy & Objects > Policy.

2. Edit a transparent or explicit policy, or create a new policy and set Type to Transparent or Explicit.
3. Enable or disable Enable SSH policy check.

4. Click OK.

Authentication Rules

Authentication rules are used to receive user identity, based on the values set for the protocol and source address. If a
rule fails to match based on the source address, there will be no other attempt to match the rule; however, the next policy
will be attempted. This occurs only when:
l There is an authentication rule, but no authentication method has been set (under config authentication
scheme), so the user identity cannot be found.
l The user is successfully matched in the rule but fails to match the current policy.
After a rule is positively matched through the protocol and/or source address, the authentication is checked (with
active-auth-method and sso-auth-method). These methods point to schemes, as defined under config
authentication scheme.
When you combine authentication rules and schemes, you have granular control over users and IP addresses, creating
an efficient process for users to successfully match a criteria before matching the policy.
To manage authentication rules, go to Policy & Objects > Authentication Rules.

Hover over the leftmost edge of the column heading to display the Configure Table icon, which you can use to select the
columns to display or to reset all the columns to their default settings. You can also drag column headings to change
their order.
The following options are available:

FortiProxy 7.0 Administration Guide 136

Fortinet Inc.
Policy & Objects

Create New Create an authentication rule or authentication scheme. See Create or edit an
authentication rule on page 139.

Edit Modify an authentication rule or authentication scheme. See Create or edit an

authentication rule on page 139.

Delete Remove an authentication rule or rules.

Search Enter a search term to find in the list.

Authentication Select Authentication Rules to see a list of authentication rules. Select

Rules/Authentication Authentication Schemes to see a list of authentication schemes.
Schemes

Name The name of the authentication rule.

Source Address The source IPv4 addresses, address groups, all, or none.

Source IPv6 Address The source IPv6 addresses, address groups, all, or none.

Protocol The protocol that is matched for the rule.

Authentication Scheme The authentication scheme that is being used.

To create an authentication scheme, see Create or edit an authentication scheme
on page 142.

SSO Authentication Scheme The single sign-on authentication method.

Comments An optional description of the authentication rule.

IP-based Authentication Whether IP-based authentication is enabled or disabled.

Status Whether the rule is enabled or disabled.

To manage authentication schemes, go to Policy & Objects > Authentication Rules and then click Authentication
Schemes.

Hover over the leftmost edge of the column heading to display the Configure Table icon, which you can use to select the
columns to display or to reset all the columns to their default settings. You can also drag column headings to change
their order.
The following options are available:

Create New Create an authentication scheme. See Create or edit an authentication scheme
on page 142.

Edit Edit an authentication scheme. See Create or edit an authentication scheme on

page 142

Delete Delete an authentication scheme or schemes.

Search Enter a search term to find in the list.

Authentication Select Authentication Rules to see a list of authentication rules. Select

FortiProxy 7.0 Administration Guide 137

Fortinet Inc.
Policy & Objects

Rules/Authentication Authentication Schemes to see a list of authentication schemes.

Schemes

Name The name of the authentication scheme.

Method The authentication method: NTLM, Basic, Digest, Form-based, Negotiate, SAML,
SSH Public Key, or Fortinet Single Sign-On (FSSO).

User database The name of the user database to use.

Negotiate NTLM  Whether NTLM negotiation is required.

Kerberos Keytab The file containing the shared secret for Kerberos authentication.

Domain Controller The domain controller.

FSSO Agent The FSSO agent.

Two-factor Authentication Whether two-factor authentication is required.

FSSO guest Whether FSSO-guest authentication is required.

SSH Local CA Which CA certificate is being used.

Ref. Displays the number of times the object is referenced to other objects.
To view the location of the referenced object, select the number in Ref.; the Object
Usage window opens and displays the various locations of the referenced object.

FortiProxy 7.0 Administration Guide 138

Fortinet Inc.
 Policy & Objects

Create or edit an authentication rule

To create an authentication rule:

1. In the authentication rule list, select Create New > Authentication Rules from the toolbar.

FortiProxy 7.0 Administration Guide 139

Fortinet Inc.
Policy & Objects

2. Configure the following:

Name The name of the authentication rule.

Source Address Select the source IPv4 addresses, address groups, all, or none. Required for
web-proxy authentication.

Source IPv6 Address Select the source IPv6 address or addresses, all, or none. Required for web-
proxy authentication.

Protocol Select which protocol is matched for the rule.

Authentication Scheme Enable Authentication Scheme to use an authentication scheme and then
select which authentication scheme to use.
To create an authentication scheme, see Create or edit an authentication
scheme on page 142.

IP-based Authentication Select Enable if you want to use IP-based authentication.

SSO Authentication Scheme If you selected Enable for IP-based authentication, enable SSO Authentication
Scheme if you want to use single sign-on method and then select which single
sign-on method to use.

Comments Enter an optional description of the rule.

Enable This Rule Select Enable or Disable to control whether the authentication rule is used or
ignored.

API Preview The API Preview allows you to view all REST API requests being used by the
page. You can make changes on the page that are reflected in the API request
preview. This feature is not available if the user is logged in as an administrator
that has read-only GUI permissions.

3. Click OK to create the new authentication rule.

To use the API Preview:

1. Click API Preview. The API Preview pane opens, and the values for the fields are visible (data). If a new object is
being created, the POST request is shown.
2. Enable Show modified changes only to show the modified changes instead of the full configuration in the preview.
3. Click Copy to Clipboard to copy the JSON code shown on the preview screen to the clipboard.
4. Click Close to leave the preview.

To edit an authentication rule:

1. Select the authentication rule you want to edit and then click Edit from the toolbar or double-click on the rule in the
rule table.
2. Edit the rule information as required and click OK to apply your changes.

To set the authentication rule in the CLI:

config authentication rule

edit <name of rule>
set status [enable|disable]
set protocol [http|ftp|socks|ssh]

FortiProxy 7.0 Administration Guide 140

Fortinet Inc.
Policy & Objects

set srcintf <name of incoming (ingress) interface>

set srcaddr <name of IPv4 source address>
set dstaddr <name of IPv4 destination address>
set srcaddr6 <name of address object>
set ip-based [enable|disable]
set active-auth-method <string>
set sso-auth-method <string>
set web-proxy <explicit_proxy_entity>
set comments <string>
next
end

l status—Enable or disable the authentication rule status.

l protocol—Set protocols to be matched.
l srcintf—Incoming (ingress) interface.
l srcaddr/srcaddr6—Source address name. [srcaddr or srcaddr6 (web proxy only) must be set].
l dstaddress—Destination address name.
l ip-based—Enable or disable IP-based authentication.
l active-auth-method—Active authentication method.
l sso-auth-method—SSO authentication method (requires ip-based to be enabled)
l comments—Comment.

FortiProxy 7.0 Administration Guide 141

Fortinet Inc.
 Policy & Objects

Create or edit an authentication scheme

To create an authentication scheme:

1. In the authentication scheme list, select Create New > Authentication Schemes from the toolbar.

FortiProxy 7.0 Administration Guide 142

Fortinet Inc.
Policy & Objects

2. Configure the following:

Name Enter the name of the authentication scheme.

Method Select the authentication methods:

l Basic

l Certificate
l Digest
l Form-based
l Fortinet Single Sign-On (FSSO)
l Negotiate
l NTLM
l RADIUS Single-Sign-On (RSSO)
l SAML
l SSH Public Key
Multi-methods supports Basic, NTLM, and Negotiate.
For agentless NTML authentication, see Agentless NTLM support on page
144.

Negotiate NTLM Enable/disable authentication negotiation for NTLM. When disabled, access is
limited for non-domain users while using proxy authentication.
This option is only available when the method includes Negotiate.

Kerberos keytab Select the file containing the shared secret for Kerberos authentication.

Domain Controller If you selected NTLM, select the domain controller.

User database Select which user database to use.

Two-factor authentication Move the slider to control whether two-factor authentication is required.

FSSO Agent Move the slider to select the FSSO agent to use.

FSSO guest Move the slider to control whether FSSO-guest authentication is required.

SSH local CA Select which CA certificate to use.

API Preview The API Preview allows you to view all REST API requests being used by the
page. You can make changes on the page that are reflected in the API request
preview. This feature is not available if the user is logged in as an administrator
that has read-only GUI permissions.

3. Click OK to create the new authentication scheme.

To use the API Preview:

1. Click API Preview. The API Preview pane opens, and the values for the fields are visible (data). If a new object is
being created, the POST request is shown.
2. Enable Show modified changes only to show the modified changes instead of the full configuration in the preview.
3. Click Copy to Clipboard to copy the JSON code shown on the preview screen to the clipboard.
4. Click Close to leave the preview.

FortiProxy 7.0 Administration Guide 143

Fortinet Inc.
 Policy & Objects

To edit an authentication scheme:

1. Select the authentication scheme you want to edit and then click Edit from the toolbar or double-click on the scheme
in the scheme table.
2. Edit the scheme information as required and click OK to apply your changes.

To create an authentication scheme in the CLI:

config authentication scheme

edit <name>
set method {ntlm | basic | digest | form | negotiate | fsso | rsso | ssh-publickey |
cert | saml | saml-sp}
set domain-controller <string>
set fsso-agent-for-ntlm <string>
set fsso-guest {enable | disable}
set kerberos-keytab <string>
set negotiate {enable | disable}
set negotiate-ntlm {enable | disable}
set require-tfa {enable | disable}
set saml-ipd-portal <string>
set ssh-ca <string>
set user-database <auth_server>
next
end

The following methods are available:

l basic—Basic HTTP authentication. This is the default method.
l digest—Digest HTTP authentication.
l ntlm—NTLM authentication. For agentless NTML authentication, see Agentless NTLM support on page 144. To
configure the domain source when doing NTML authentication, see Domain name source when doing NTLM
authentication on page 145.
l form—Form-based HTTP authentication.
l negotiate—Negotiate authentication.
l fsso—FSSO authentication.
l rsso—RADIUS Single Sign-On authentication.
l saml—SAML-IDP authentication (requires external FortiAuthenticator).
l saml-sp—SAML-IDP authentication with FortiProxy as the service provider.
l publickey—Public-key-based SSH authentication.
l x-auth-user—User from HTTP x-authenticated-user header.

Agentless NTLM support

Agentless NTLM authentication can be configured directly from the FortiProxy unit to the Domain Controller using the
SMB protocol (no agent is required).
NOTE: This authentication method is only supported for proxy policies.

FortiProxy 7.0 Administration Guide 144

Fortinet Inc.
 Policy & Objects

Syntax

NOTE: The set domain-controller command is only available when method is set to ntlm and/or negotiate-
ntlm is set to enable.
config authentication scheme
edit <name>
set method ntlm
set domain-controller <dc-setting>
next
end

config user domain-controller

edit <name>
set ip-address <dc-ip>
set port <port> // The default is 445.
set domain-name <dns-name>
set ldap-server <name>
next
end

Domain name source when doing NTLM authentication

When doing NTLM authentication, the domain is extracted based on the following:
1. If the domain controller has a domain name configured, it is used.
2. Otherwise, if the NTLM type 3 message, from the user, is configured, it is used.
3. Otherwise, if the domain name from the NTLM type 2 message, from the DC, is configured, it is used.

To configure the domain name source, if it is not set:

config user domain-controller

edit "adfs-dc"
set ip-address 192.168.130.200
unset domain-name
set domain-name-src {server | client}
set ldap-server "adfsldap"
next
end

The domain name can be extracted from either the server's (DC) data, or from the client's data.

Proxy Auth Setting

This submenu provides settings for configuring authentication timeout, protocol support, authentication certificates,
authentication schemes, and captive portals. When user authentication is enabled within a security policy, the
authentication challenge is normally issued for any of the four protocols (depending on the connection protocol):
l HTTP (can also be set to redirect to HTTPS)
l HTTPS

FortiProxy 7.0 Administration Guide 145

Fortinet Inc.
Policy & Objects

l FTP
l Telnet
The selections control which protocols support the authentication challenge. Users must connect with a supported
protocol first so that they can subsequently connect with other protocols. If HTTPS is selected as a method of protocol
support, the user can authenticate with a customized local certificate.
When you enable user authentication within a security policy, the security policy user is challenged to authenticate. For
user ID and password authentication, users must provide their user names and passwords. For certificate authentication
(HTTPS or HTTP redirected to HTTPS only), you can install customized certificates on the unit, and the users can also
have customized certificates installed on their browsers. Otherwise, users see a warning message and have to accept a
default Fortinet certificate.
To configure proxy authentication settings, go to Policy & Objects > Proxy Auth Settings.

FortiProxy 7.0 Administration Guide 146

Fortinet Inc.
Policy & Objects

Configure the following settings and then select Apply to save your changes:

Authentication Timeout Enter the amount of time, in minutes, that an authenticated firewall connection
can be idle before the user must authenticate again. From 1 to 480 minutes. The
default is 5.

Protocol Support Select the protocols to challenge during firewall user authentication from the
following:
l HTTP

l HTTPS
l FTP
l Telnet

Certificate If you want to use a local certificate for authentication, enable Certificate and then
select the certificate. The default is Fortinet_Factory.

Active Auth Scheme If you want to use an active authentication scheme, enable Active Auth Scheme
and then select which scheme to use.
To create an authentication scheme, see Create or edit an authentication scheme
on page 142.

SSO Auth Scheme If you want to use a single-sign-on authentication scheme, enable SSO Auth
Scheme and then select which scheme to use.

Captive Portal If you want use a captive portal to authenticate web users, enable Captive Portal
and then select a captive portal. Enter the captive port number and select the
portal type. If you select IP as the captive portal type, enter the captive portal IP
address.

Redirecting HTTP user Enable Redirecting HTTP user authentication to HTTPS if you want HTTPS user
authentication to HTTPS authentication used instead of HTTP user authentication and then enter the
captive portal SSL port number.

API Preview The API Preview allows you to view all REST API requests being used by the
page. You can make changes on the page that are reflected in the API request
preview. This feature is not available if the user is logged in as an administrator
that has read-only GUI permissions.

Edit in CLI Click to open a CLI console window to view and edit the setting in the CLI. If there
are multiple CLI settings on the page, the CLI console shows the first setting.

To use the API Preview:

1. Click API Preview. The API Preview pane opens, and the values for the fields are visible (data). If a new object is
being created, the POST request is shown.
2. Enable Show modified changes only to show the modified changes instead of the full configuration in the preview.
3. Click Copy to Clipboard to copy the JSON code shown on the preview screen to the clipboard.
4. Click Close to leave the preview.

To configure the authentication settings in the CLI:

config authentication setting

set active-auth-scheme <string>

FortiProxy 7.0 Administration Guide 147

Fortinet Inc.
 Policy & Objects

set sso-auth-scheme <string>

set captive-portal <string>
set captive-portal-port <integer value from 1 to 65535; default is 0>
set auth-https {enable | disable}
set captive-portal-ssl-port <integer value from 1 to 65535; default is 7831>
end

l active-auth-scheme—Active authentication method.

l sso-auth-scheme—SSO authentication method.
l captive-portal—Captive portal host name.
l captive-portal-port—Captive portal port number.
l auth-https—Enable or disable redirecting HTTP user authentication to HTTPS.
l captive-portal-ssl-port—Captive portal SSL port number.

Traffic shaping

To control network traffic with traffic shaping:

1. Define a traffic shaper to control the maximum and guaranteed throughput. See Traffic shapers on page 148.
2. Assign the traffic shaper in an interface. See Create or edit an interface on page 89.You can define separate traffic
shapers for incoming and outgoing network traffic.
3. Configure a traffic-shaping policy. See Traffic-shaping policy on page 152.

Traffic shapers

With a traffic shaper, you can divide the available bandwidth among several classes. Each class specifies how much
bandwidth is needed as a percentage of the total bandwidth.
To see a list of available traffic shapers in the GUI, go to Policy & Objects > Traffic Shapers.

Hover over the leftmost edge of the column heading to display the Configure Table icon, which you can use to select the
columns to display or to reset all the columns to their default settings. You can also drag column headings to change
their order.
The following options are available:

Create New Select to open the Create Traffic Shapers window. See Create or edit a traffic
shaper on page 149.

Edit Edit the selected traffic shaper. See Create or edit a traffic shaper on page 149.

Delete Delete the selected traffic shaper.

FortiProxy 7.0 Administration Guide 148

Fortinet Inc.
Policy & Objects

Search Enter a search term to find in the traffic shaper list.

Profile Name The name of the traffic shaper.

Comments A description of the traffic shaper.

Ref. Displays the number of times the object is referenced to other objects.
To view the location of the referenced object, select the number in Ref., and the
Object Usage window appears displaying the various locations of the referenced
object.

Create or edit a traffic shaper

Select Create New to open the New Shaping Profile window. To edit a traffic shaper, select the traffic shaper and then
click Edit.

Configure the following settings in the New Shaping Profile window or the Edit Shaping Profile window and then click OK:

Name Enter a name for the new traffic shaper. You cannot change the name after you
create the traffic shaper.

FortiProxy 7.0 Administration Guide 149

Fortinet Inc.
Policy & Objects

Default Class Select the class that the traffic shaper will use by default. The default class must
be equal to the Class ID for one of the classes in the traffic shaper.

Comments Enter any additional information that might be needed by administrators, as a

reminder of the traffic shaperʼs purpose and scope. This setting is optional.

Classes Classes that can be used in the traffic shaper.

Create New Select to create a class. See Create or edit a class on page 151.

Edit Select to modify a class.

Delete Select to remove a class from the list.

Search Enter a search term to find in the classes list.

Name Class name.

Class ID Class identifier.

Priority The priority is top, critical, high, medium, or low.

Guaranteed Bandwidth The guaranteed bandwidth ensures that a consistent reserved bandwidth is
available for a given service or user. Ensure that you set the bandwidth to a value
that is significantly less than the bandwidth capacity of the interface. Otherwise,
little to no traffic will pass through the interface and potentially cause unwanted
latency.
Enter the percentage, from 0 to 100.

Maximum Bandwidth The maximum bandwidth instructs the security policy what the largest percentage
of traffic allowed.
Enter the percentage, from 1 to 100. The Maximum Bandwidth must be equal or
greater than the Guaranteed Bandwidth.

API Preview The API Preview allows you to view all REST API requests being used by the
page. You can make changes on the page that are reflected in the API request
preview. This feature is not available if the user is logged in as an administrator
that has read-only GUI permissions.

To use the API Preview:

1. Click API Preview. The API Preview pane opens, and the values for the fields are visible (data). If a new object is
being created, the POST request is shown.
2. Enable Show modified changes only to show the modified changes instead of the full configuration in the preview.
3. Click Copy to Clipboard to copy the JSON code shown on the preview screen to the clipboard.
4. Click Close to leave the preview.

To create a traffic shaper and class in the CLI:

config firewall shaping-profile

edit <traffic_shaper_name>
config classes
edit <ID_value>
set class-id <2-31>
set priority <top | critical | high | medium | low}
set guaranteed-bandwidth <0-100 percent>

FortiProxy 7.0 Administration Guide 150

Fortinet Inc.
Policy & Objects

set maximum-bandwidth <1-100 percent>

next
set default-class <2-31, must be equal to class-id value>
end
next
end

For example:
config firewall shaping-profile
edit TrafficShaper1
config classes
edit 1
set class-id 3
set priority low
set guaranteed-bandwidth 50
set maximum-bandwidth 75
next
set default-class 3
end
next
end

Create or edit a class

From the New Shaping Profile window or the Edit Shaping Profile window, you can create or edit a class. Select Create
New to open the Create Class window. To change a class, select the class and then click Edit.

Configure the following settings in the Create Class window or the Edit Class window and then click OK:

Name Enter the name of the class.

Class ID Enter the class identifier. The range is 2-31.

Priority Select the priority: Top, Critical, High, Medium, or Low.

FortiProxy 7.0 Administration Guide 151

Fortinet Inc.
 Policy & Objects

Guaranteed Bandwidth Enter the percentage, from 0 to 100.

Maximum Bandwidth Enter the percentage, from 1 to 100. The Maximum Bandwidth must be equal or
greater than the Guaranteed Bandwidth.

Traffic-shaping policy

A traffic-shaping policy is defined by the following:

l Matching criteria for IPv4 or IPv4 network traffic
l Class ID of a traffic shaper
l Reverse class ID of a traffic shaper
The matching criteria can be any combination of source address, destination addresses, services, and outgoing
interfaces. Whenever an outgoing packet matches the criteria in the traffic-shaping policy, the packet is assigned the
class ID of the traffic shaper defined in the traffic-shaping policy. Whenever an incoming packet matches the criteria in
the traffic shaper, the packet is assigned the reverse class ID of the traffic shaper defined in the traffic-shaping policy. If
the incoming or outgoing packet does not match the criteria in any traffic-shaping policy, the packet is assigned the
default class ID.
To see the available traffic-shaping policies in the GUI, go to Policies & Objects > Traffic Shaping Policy.

Hover over the leftmost edge of the column heading to display the Configure Table icon, which you can use to select the
columns to display or to reset all the columns to their default settings. You can also drag column headings to change
their order.
The following options are available:

Create New Click to open the Create Shaping Policy window. See Create or edit a traffic-
shaping policy on page 153.

Edit Click to edit the selected policy. See Create or edit a traffic-shaping policy on
page 153.

Delete Click to delete the selected policy.

Search Enter a search term to find in the policy list.

Status Whether the policy is enabled or disabled.

Original Address The source address, address group, user, or user group that the policy matches.

Destination Address The destination address or address group that the policy matches.

Services Services allowed by the policy.

Destination Interface The outgoing interface that the policy matches.

FortiProxy 7.0 Administration Guide 152

Fortinet Inc.
Policy & Objects

Ref. Displays the number of times the object is referenced to other objects.
To view the location of the referenced object, select the number in Ref., and the
Object Usage window appears displaying the various locations of the referenced
object.

Custom Groups Groups allowed by the policy.

Users Users allowed by the policy.

Create or edit a traffic-shaping policy

Select Create New to open the Create Shaping Policy window. To change a traffic-shaping policy, select a policy and
then click Edit.

FortiProxy 7.0 Administration Guide 153

Fortinet Inc.
Policy & Objects

Configure the following settings in the New Shaping Policy window or the Edit Shaping Policy window and then click OK:

IP Version Select IPv4 or IPv6.

Source Select or create the source address, address group, user, or user group that the
traffic must match. You can select multiple sources in multiple categories.

Destination Select or create the destination address or address group that the traffic must
match. You can select multiple destinations in both categories.

Service Type Select whether firewall services or Internet services are used for this policy.

Firewall Service If you selected Firewall Service as the service type, select one or more firewall
services that the traffic must match.

Internet Service If you selected Internet Service as the service type, select one or more Internet
services that the traffic must match.

Users Select one or more users that the traffic must match.

Groups Select one or more user groups that traffic must match.

Outgoing Interface Set this to the external interface that the traffic must match.

class-id The class ID of a traffic shaper for outgoing packets.

clsss-id-reverse The class ID of a traffic shaper for incoming packets.

Comments Enter any additional information that might be needed by administrators, as a

reminder of the policyʼs purpose and scope. This setting is optional.

Enable this policy Policies are enabled by default, but, if you want to disable a traffic-shaping policy,
move the slider to disable the policy.

API Preview The API Preview allows you to view all REST API requests being used by the
page. You can make changes on the page that are reflected in the API request
preview. This feature is not available if the user is logged in as an administrator
that has read-only GUI permissions.

To use the API Preview:

1. Click API Preview. The API Preview pane opens, and the values for the fields are visible (data). If a new object is
being created, the POST request is shown.
2. Enable Show modified changes only to show the modified changes instead of the full configuration in the preview.
3. Click Copy to Clipboard to copy the JSON code shown on the preview screen to the clipboard.
4. Click Close to leave the preview.

Central SNAT

NAT is a process used to modify or translate either the source or destination IP address or port in a packet header. The
primary use for NAT is to allow multiple network devices on a private network to be represented by a single public IP
address when they browse the Internet.

FortiProxy 7.0 Administration Guide 154

Fortinet Inc.
 Policy & Objects

The FortiProxy unit applies the NAT settings from matching central Source Network Address Translation (SNAT)
policies. Go to Policy & Objects > Central SNAT to create a central SNAT policy.

Hover over the leftmost edge of the column heading to display the Configure Table icon, which you can use to select the
columns to display or to reset all the columns to their default settings. You can also drag column headings to change
their order.
The following options are available:

Create New Select to open the Create Central SNAT window. See Create or edit a central
SNAT policy on page 155.

Edit Edit the selected central SNAT policy. See Create or edit a central SNAT policy on
page 155.

Clone Copy an existing central SNAT policy.

Delete Delete the selected central SNAT policy.

Search Enter a search term to find in the list.

Policy ID SNAT identifier.

Status The status is either enable (active) or disable (inactive).

Source Interface The source interface name is either a port or any.

Destination Interface The destination interface name.

Source Address The source addresses and address groups.

Destination Address The destination addresses and address groups.

Action The central SNAT action is Bypass, Masquerade, or IP Pools.

nat-ippool The name of the NAT IP pool.

Ref. Displays the number of times the object is referenced to other objects.
To view the location of the referenced object, select the number in Ref.; the Object
Usage window opens and displays the various locations of the referenced object.

Create or edit a central SNAT policy

Select Create New to open the Create Central SNAT window. To change a central SNAT policy, select the policy and
then click Edit.

FortiProxy 7.0 Administration Guide 155

Fortinet Inc.
Policy & Objects

Configure the following settings in the Create Central SNAT window or the Edit Central SNAT window and then click OK:

Status Select Enable make the central SNAT policy is active.

Action Select one of the following options for the central SNAT action:
l Bypass—Do not perform network address translation (NAT).

l Masquerade—Use a single IP address to protect multiple IP addresses in a

LAN.
l IP Pools—Use an IP address from an IP pool. An IP pool defines a single IP
address or a range of IP addresses to be used as the source address for the
duration of the session. These assigned addresses are used instead of the IP
address assigned to that FortiProxy interface.

Type Select IPv4 or IPv6.

FortiProxy 7.0 Administration Guide 156

Fortinet Inc.
Policy & Objects

Source Interface Select one of the available interfaces from the drop-down list.

Destination Interface Select one of the available interfaces from the drop-down list.

Source Address Click +. A window slides out from the right. Here, you can select from the available
Source IPv6 Address addresses and address groups. Select one or more items to add to the field.
Clicking on an object in this window while it is highlighted removes it from the field.
Multiple selections are allowed. For more information on addresses, see
Addresses on page 164.

Destination Address Click +. A window slides out from the right. Here, you can select from the available
Destination IPv6 Address addresses and address groups. Select one or more items to add to the field.
Clicking on an object in this window while it is highlighted removes it from the field.
Multiple selections are allowed. For more information on addresses, see
Addresses on page 164.

API Preview The API Preview allows you to view all REST API requests being used by the
page. You can make changes on the page that are reflected in the API request
preview. This feature is not available if the user is logged in as an administrator
that has read-only GUI permissions.

To use the API Preview:

1. Click API Preview. The API Preview pane opens, and the values for the fields are visible (data). If a new object is
being created, the POST request is shown.
2. Enable Show modified changes only to show the modified changes instead of the full configuration in the preview.
3. Click Copy to Clipboard to copy the JSON code shown on the preview screen to the clipboard.
4. Click Close to leave the preview.

To create a central SNAT policy in the CLI:

config firewall central-snat-map

edit <policy_identifier>
set status {enable | disable}
set action {bypass | masquerade | ippool}
set ipv6 {enable | disable}
set srcintf <source_interface_name>
set dstintf <destination_interface_name>
set src-addr <original_address>
set dst-addr <original_address>
end

For example, to create an IPv4 central SNAT policy:

config firewall central-snat-map
edit 1
set status enable
set action masquerade
set ipv6 disable
set srcintf port2
set dstintf port1
set src-addr "all"
set dst-addr "all"
end

FortiProxy 7.0 Administration Guide 157

Fortinet Inc.
Policy & Objects

For example, to create an IPv6 central SNAT policy:

config firewall central-snat-map
edit 1
set status enable
set action ippool
set ipv6 enable
set srcintf port1
set dstintf port3
set src-addr6 "all"
set dst-addr6 "all"
set nat-ippool6 "pool6"
end

PAC Policy

Proxy auto-config (PAC) files automatically choose the appropriate proxy server for browsers and other user agents. Not
every user in an organization has the same proxy server requirements. Supporting multiple PAC files provides granular
control. To manage multiple PAC files, you use PAC policies.
To see a list of available PAC policies in the GUI, go to Policies & Objects > PAC Policy.

Hover over the leftmost edge of the column heading to display the Configure Table icon, which you can use to select the
columns to display or to reset all the columns to their default settings. You can also drag column headings to change
their order.
The following options are available:

Create New Select to open the Create PAC Policy window. See Create or edit a PAC policy on
page 159.

Edit Edit the selected PAC policy. See Create or edit a PAC policy on page 159.

Delete Delete the selected PAC policy.

Search Enter a search term to find in the list.

Policy ID The PAC policy identifier.

Status The status is enabled or disabled.

Original Address The source address of the initiating traffic.

Destination Address The destination address that the policy matches.

PAC File Name The name of the PAC file.

Ref. Displays the number of times the object is referenced to other objects.

FortiProxy 7.0 Administration Guide 158

Fortinet Inc.
 Policy & Objects

To view the location of the referenced object, select the number in Ref.; the Object
Usage window opens and displays the various locations of the referenced object.

Create or edit a PAC policy

Select Create New to open the Create PAC Policy window. To change a PAC policy, select a policy and then click Edit.

Configure the following settings in the Create PAC Policy window or the Edit PAC Policy window and then click OK:

Policy ID Enter the PAC policy identifier.

Status Click Enable to make the policy active.

Original Address Enter the source IPv4 address of the initiating traffic.

Source Address IPv6 Enter the source IPv6 address of the initiating traffic.

Destination Address Enter the destination address that the policy matches.

FortiProxy 7.0 Administration Guide 159

Fortinet Inc.
 Policy & Objects

Pac File Name Enter the name of the PAC file.

Comments Enter an optional description of the PAC policy.

PAC File Content Type or copy and paste a PAC file.

API Preview The API Preview allows you to view all REST API requests being used by the
page. You can make changes on the page that are reflected in the API request
preview. This feature is not available if the user is logged in as an administrator
that has read-only GUI permissions.

To use the API Preview:

1. Click API Preview. The API Preview pane opens, and the values for the fields are visible (data). If a new object is
being created, the POST request is shown.
2. Enable Show modified changes only to show the modified changes instead of the full configuration in the preview.
3. Click Copy to Clipboard to copy the JSON code shown on the preview screen to the clipboard.
4. Click Close to leave the preview.

Edit a PAC file

In the Create PAC Policy window or Edit PAC Policy window, click Edit to open the Edit PAC File Content window.

FortiProxy 7.0 Administration Guide 160

Fortinet Inc.
Policy & Objects

To add content to a PAC file:

1. If you have a PAC file, select Browse, navigate to the PAC file, select Open, and then select Import. After you import
the PAC file, you can edit the content in the text box.
2. If you do not have a PAC file, you can type the content into the text box or copy and paste the content into the text
box.
3. Click Apply.

Policy Test

You can check the configuration of explicit web proxy policies and transparent firewall policies to confirm that they are
set up correctly.

The combination of policy type and source IP address forms the source traffic to test.
If a URI or HTTP header is specified as the destination, the policy test uses a DNS lookup to determine the actual
IP address and port number of the destination traffic. If the clientʼs DNS lookup differs from the deviceʼs DNS lookup, the
policy used for the test might be different that the policy used on the clientʼs traffic.

To test a policy:

1. Go to Policy & Objects > Policy Test.

2. Configure the following settings:

Policy Test Select whether you want to test an Explicit or Transparent policy.

Source IP Enter the source IP address.

Web Proxy If you selected Explicit, select web-proxy or search for an explicit web proxy.
To create an explicit web proxy, see Create or edit an explicit web proxy on
page 51.

Source Interface If you selected Transparent, enter the source interface.

FortiProxy 7.0 Administration Guide 161

Fortinet Inc.
Policy & Objects

Destination Select IP:Port, URI, or HTTP Header and enter the destination.

User & Group If you want to test a specific user or user group, enable User & Group and then
select one user or user group.

3. Click OK. The results show the policy configuration if a policy matches the parameters.

Decrypted Traffic Mirror

SSL mirroring allows the FortiProxy unit to decrypt and mirror traffic to a designated port. A decrypted traffic mirror profile
can be applied to explicit, transparent, SSH tunnel, and SSH proxy policies when the custom-deep-inspection, deep-
inspection, or deep-test SSL/SSH inspection security profile is selected.
SSL inspection is automatically enabled when you enable a security profile on the policy configuration page.
To see a list of available decrypted traffic mirror profiles in the GUI, go to Policy & Objects > Decrypted Traffic Mirror.

Hover over the leftmost edge of the column heading to display the Configure Table icon, which you can use to select the
columns to display or to reset all the columns to their default settings. You can also drag column headings to change
their order.
The following options are available:

Create New Select to open the Create Decrypted Traffic Mirror window. See Create or edit a
decrypted traffic mirror profile on page 163.

Edit Edit the selected decrypted traffic mirror profile. See Create or edit a decrypted
traffic mirror profile on page 163.

Clone Copy an existing decrypted traffic mirror profile.

Delete Delete the selected decrypted traffic mirror profile.

Search Enter a search term to find in the list.

Name The name of the decrypted traffic mirror profile.

Destination MAC The destination MAC address for the mirrored traffic.

Decrypted Traffic Type Whether decrypted SSL traffic, decrypted SSH traffic, or both are mirrored.

Decrypted Traffic source Whether decrypted client-side traffic, decrypted server-side traffic, or both are
mirrored.

Interfaces The interfaces for decrypted traffic to be mirrored.

Ref. Displays the number of times the object is referenced to other objects.
To view the location of the referenced object, select the number in Ref., and the
Object Usage window appears displaying the various locations of the referenced
object.

FortiProxy 7.0 Administration Guide 162

Fortinet Inc.
 Policy & Objects

Create or edit a decrypted traffic mirror profile

Select Create New to open the Create Decrypted Traffic Mirror window. To change a decrypted traffic mirror profile,
select a profile and then click Edit.

Configure the following settings in the Create Decrypted Traffic Mirror window or the Edit Decrypted Traffic Mirror
window and then click OK:

Name Enter the name of the decrypted traffic mirror profile.

Destination MAC Enter the destination MAC address for the mirrored traffic.

FortiProxy 7.0 Administration Guide 163

Fortinet Inc.
Policy & Objects

Decrypted Traffic Type Select whether decrypted SSL traffic, decrypted SSH traffic, or both are mirrored.

Decrypted Traffic Source Select whether decrypted client-side traffic, decrypted server-side traffic, or both
are mirrored.

Interface Select which interfaces will have decrypted traffic mirrored.

API Preview The API Preview allows you to view all REST API requests being used by the
page. You can make changes on the page that are reflected in the API request
preview. This feature is not available if the user is logged in as an administrator
that has read-only GUI permissions.

To use the API Preview:

1. Click API Preview. The API Preview pane opens, and the values for the fields are visible (data). If a new object is
being created, the POST request is shown.
2. Enable Show modified changes only to show the modified changes instead of the full configuration in the preview.
3. Click Copy to Clipboard to copy the JSON code shown on the preview screen to the clipboard.
4. Click Close to leave the preview.

To create a decrypted traffic mirror profile in the CLI:

config firewall decrypted-traffic-mirror

edit <name_of_profile>
set dstmac <destination_MAC_addresss>
set traffic-type {ssl | ssh}
set traffic-source {client | server | both}
set interface <interface_name>
next
end

For example:

config firewall decrypted-traffic-mirror

edit "1"
set dstmac ff:ff:ff:ff:ff:ff
set traffic-type ssl ssh
set traffic-source both
set interface "port1"
next
end

Addresses

Web cache addresses and address groups define the network addresses that you use when configuring source and
destination addresses for security policies. The FortiProxy unit compares the IP addresses contained in packet headers
with security policy source and destination addresses to determine if the security policy matches the traffic. Addresses
can be IPv4 addresses and address ranges, IPv6 addresses, and fully qualified domain names (FQDNs).

FortiProxy 7.0 Administration Guide 164

Fortinet Inc.
Policy & Objects

Be careful if employing FQDN web cache addresses. Using a fully qualified domain name in a
security policy, while convenient, does present some security risks because policy matching
then relies on a trusted DNS server. If the DNS server becomes compromised, security
policies requiring domain name resolution might no longer function properly.

Web cache addresses in the address list are grouped by type: Address, Address Group, IPv6 Address, IPv6 Address
Group, Proxy Address, or Proxy Group. A FortiProxy unit’s default configurations include all address, which represents
any IPv4 IP address on any network. You can also add a firewall address list when configuring a security policy.
To view the address list, go to Policy & Objects > Addresses.

Hover over the leftmost edge of the column heading to display the Configure Table icon, which you can use to select the
columns to display or to reset all the columns to their default settings. You can also drag column headings to change
their order.
The following options are available:

Create New > Address Add a new address. See Create or edit an address on page 166.

Create New > Address Group Add a new address group. See Create or edit an address group on page 169.

Create New > IPv6 Address Add an IPv6 address template. See Create or edit an IPv6 address template on
Template page 171.

Edit Edit the selected address. See Create or edit an address on page 166 or Create
or edit an address group on page 169

Clone Make a copy of the selected address or address group.

Delete Remove the selected address or address group. This icon appears only if a policy
or address group is not currently using the address.

Search Search for text in any column.

Name The name of the address.

Details The domain name.

Interface The interface to which the address is bound.

FortiProxy 7.0 Administration Guide 165

Fortinet Inc.
 Policy & Objects

Type Select the type of address: FQDN, Geography, IP Range, Subnet, Wildcard
FQDN, Dynamic SDN address, IPv6 Subnet, URL Pattern, Host Regex Match,
URL Category, HTTP Method, User Agent, HTTP Header, Advanced (Source), or
Advanced (Destination).

Ref. Displays the number of times the object is referenced to other objects.
To view the location of the referenced object, select the number in Ref., and the
Object Usage window appears displaying the various locations of the referenced
object.

Comments Optional description of the address.

Exclude Members Addresses excluded from an address group.

Routable Whether the IP address can be used for routing.

Create or edit an address

Select Create New > Address to open the New Address window.

FortiProxy 7.0 Administration Guide 166

Fortinet Inc.
Policy & Objects

To open the Edit Address window, select an address and then click Edit.
Configure the following settings in the New Address window or the Edit Address window and then click OK:

Category Select Address, IPv6 Address, or Proxy Address.

Name Enter a name for the IPv4 address, IPv6 address, or proxy address. Addresses
must have unique names.

Color Select Change to choose a color for the icon.

Type If you selected Address for the category, select one of the following: Subnet, IP
Range, FQDN, Geography, Dynamic, or Device (MAC Address).

FortiProxy 7.0 Administration Guide 167

Fortinet Inc.
Policy & Objects

If you selected IPv6 Address for the category, select IPv6 Subnet, IPv6 Range,
IPv6 FQDN, IPv6 Geography, IPv6 Fabric Connector Address, IPv6 Template, or
Device (MAC Address).
If you selected Proxy Address for the category, select Host Regex Match, URL
Pattern, URL Category, URL List, HTTP Method, User Agent, HTTP Header,
Advanced (Source), or Advanced (Destination).

IP/Netmask If you selected Subnet as the IPv4 address type, enter the IP address and
netmask.

IP Range If you selected IP Range as the IPv4 address type or you selected IPv6 Range as
the IPv6 address type, enter an IP address range separated by a hyphen. See
Web cache policy address formats.

FQDN If you selected FQDN as the IPv4 address type or IPv6 FQDN as the IPv6
address type, enter the fully qualified domain name.

Country/Region If you selected Geography as the IPv4 address type or IPv6 Geography as the
IPv6 address type, select the country or region.

Sub Type If you selected Dynamic as the IPv4 address type, select ClearPass, Fabric
Connector Address, FortiNAC Tag, FortiVoice Tag, Fortinet Single Sign-On
(FSSO), or Switch Controller NAC Policy Tag.

SPT (System Posture Token) If you selected ClearPass as the Sub Type, select Checkup, Healthy, Infected,
Quarantine, Transient, or Unknown.

SDN Connector If you selected Fabric Connector Address as the Sub Type or IPv6 Fabric
Connector Address as the IPv6 address type, select an existing SDN connector or
create a new one. See External Connectors on page 458.

FSSO Group If you selected Fortinet Single Sign-On (FSSO) as the Sub Type, select an
existing FSSO group or create a new one. See Create or edit a user group on
page 377.

MAC address If you selected Device (MAC Address) as the Sub Type or Type, enter the MAC
address or range of MAC addresses.

IPv6 Address If you selected IPv6 Subnet as the IPv6 address type, enter the IPv6 address.

IPv6 Address Template If you selected IPv6 Template as the IPv6 address type, select an existing IPv6
address template or create one. See Create or edit an IPv6 address template on
page 171.

Host Type If you selected IPv6 Template as the IPv6 address type, select any or specific. If
you select specific, enter the host name.

Interface Select the interface to which you want to bind the IPv4 address. Select any if you
want to bind the IP address with the interface when you create a policy.

Host Enter or select the host name.

Host Regex Pattern If you selected Host Regex Match as the proxy address type, enter the
appropriate string.

FortiProxy 7.0 Administration Guide 168

Fortinet Inc.
 Policy & Objects

URL Path Regex If you selected URL Pattern or Advanced (Destination) as the proxy address type,
enter the appropriate string.

URL Category If you selected URL Category or Advanced (Destination) as the proxy address
type, select the FortiGuard web filter category or categories.

URL List If you selected URL List as the proxy address type, select a URL list from the list.

Request Method If you selected HTTP Method or Advanced (Source) as the proxy address type,
select CONNECT, DELETE, GET, HEAD, OPTIONS, POST, PUT, or TRACE.

User Agent If you selected User Agent or Advanced (Source) as the proxy address type,
select a browser or browsers.

Header Name If you selected HTTP Header as the proxy address type, enter the header name.

Header Regex If you selected HTTP Header as the proxy address type, enter the appropriate
string value.

Request Method If you selected Advanced (Source) as the proxy address type, select CONNECT,
DELETE, GET, HEAD, OPTIONS, POST, PUT, or TRACE.

HTTP Header If you selected Advanced (Source) as the proxy address type, enter the name and
value of the header.

Static Route Configuration Enabling this feature includes the address in the listing of named addresses when
setting up a static route.
This option is available only when the Type is FQDN, IP Range, or Subnet.

Comments Optionally, enter a description of the address.

API Preview The API Preview allows you to view all REST API requests being used by the
page. You can make changes on the page that are reflected in the API request
preview. This feature is not available if the user is logged in as an administrator
that has read-only GUI permissions.

To use the API Preview:

1. Click API Preview. The API Preview pane opens, and the values for the fields are visible (data). If a new object is
being created, the POST request is shown.
2. Enable Show modified changes only to show the modified changes instead of the full configuration in the preview.
3. Click Copy to Clipboard to copy the JSON code shown on the preview screen to the clipboard.
4. Click Close to leave the preview.

Create or edit an address group

Select Create New > Address Group to open the New Address Group window.

FortiProxy 7.0 Administration Guide 169

Fortinet Inc.
Policy & Objects

To open the Edit Address Group window, select an address group and then click Edit.
Configure the following settings in the New Address Group window or the Edit Address Group window and then click OK:

Category Select IPv4 Group, IPv6 Group, or Proxy Group.

Group name Enter a name to identify the address group. Addresses, address groups, and
virtual IPs must have unique names.

Color Select Change to choose a color for the icon.

Type If you selected IPv4 Group, select Group or Folder.

If you selected Proxy Group, select Source Group or Destination Group.

FortiProxy 7.0 Administration Guide 170

Fortinet Inc.
 Policy & Objects

Members Select the addresses to add to the address group.

Exclude Members Enable Exclude Members and then select the addresses to exclude from the
address group.

Static Route Configuration Enabling this feature includes the address in the listing of named addresses when
setting up a static route.
This option is available only if Category is IPv4 Group and every member of the
address group has Static Route Configuration enabled.

Comments Optionally, enter a description of the address group.

API Preview The API Preview allows you to view all REST API requests being used by the
page. You can make changes on the page that are reflected in the API request
preview. This feature is not available if the user is logged in as an administrator
that has read-only GUI permissions.

To use the API Preview:

1. Click API Preview. The API Preview pane opens, and the values for the fields are visible (data). If a new object is
being created, the POST request is shown.
2. Enable Show modified changes only to show the modified changes instead of the full configuration in the preview.
3. Click Copy to Clipboard to copy the JSON code shown on the preview screen to the clipboard.
4. Click Close to leave the preview.

Create or edit an IPv6 address template

Select Create New > IPv6 Address Template to open the New IPv6 Address Template window.

FortiProxy 7.0 Administration Guide 171

Fortinet Inc.
Policy & Objects

To open the Edit IPv6 Address Template window, select an IPv6 address template and then click Edit.
Configure the following settings in the New IPv6 Address Template window or the Edit IPv6 Address Template window
and then click OK:

Name Enter a name for the IPv6 address template.

IPv6 address prefix Enter the IPv6 address prefix.

Subnet Segments Select a maximum of six segments. Each segment can have a maximum of 16
bits.

Create New You cannot create a subnet segment.

FortiProxy 7.0 Administration Guide 172

Fortinet Inc.
 Policy & Objects

Edit Select a subnet segment and click Edit. See Edit a subnet segment on page 173.

Delete Delete the selected subnet segment.

Search Search for text in any column.

Segment Name The name of the subnet segment.

Bits The number of bits used by the subnet segment.

Exclusive Enabled means that the subnet segment is exclusive, and the user must select
from predefined values for the segment.

Defined Values Predefined values for an exclusive segment.

API Preview The API Preview allows you to view all REST API requests being used by the
page. You can make changes on the page that are reflected in the API request
preview. This feature is not available if the user is logged in as an administrator
that has read-only GUI permissions.

References Click to open the object usage page to show which other configuration are
referencing the object.

Edit in CLI Click to open a CLI console window to view and edit the setting in the CLI. If there
are multiple CLI settings on the page, the CLI console shows the first setting.

To use the API Preview:

1. Click API Preview. The API Preview pane opens, and the values for the fields are visible (data). If a new object is
being created, the POST request is shown.
2. Enable Show modified changes only to show the modified changes instead of the full configuration in the preview.
3. Click Copy to Clipboard to copy the JSON code shown on the preview screen to the clipboard.
4. Click Close to leave the preview.

Edit a subnet segment

Select a subnet segment and click Edit to open the Edit Segment window.

FortiProxy 7.0 Administration Guide 173

Fortinet Inc.
Policy & Objects

Configure the following settings in the Edit Segment window and then click OK:

Name You can change the name of the segment.

Bits You can change the number of bits for the segment. Each segment can have a
maximum of 16 bits.

Exclusive Enable this option to make a segment exclusive so that the user must select from
predefined values for the segment.
NOTE: You need to define at least one value before enabling Exclusive.

Defined Values You can create defined values for exclusive segments.

Create New Create the predefined values for an exclusive segment.

Edit Select a value and then click Edit to change the value.

Delete Delete the selected value.

Search Search for text in any column.

Name The name of the segment value.

Format The format of the segment value.

Value The value of the segment.

FortiProxy 7.0 Administration Guide 174

Fortinet Inc.
Policy & Objects

Internet Service Database

To view the Fortinet database of cloud-based applications, go to Policy & Objects > Internet Service Database.

Hover over the leftmost edge of the column heading to display the Configure Table icon, which you can use to select the
columns to display or to reset all the columns to their default settings. You can also drag column headings to change
their order.
The following options are available:

Edit Predefined Internet services cannot be changed.

Delete Predefined Internet services cannot be deleted.

Search Enter a search term to search the database.

Name The name of the Internet service.

Direction Which direction is supported for the Internet service.

Number of Entries The number of entries in the database.

Ref. Displays the number of times the object is referenced to other objects.
To view the location of the referenced object, select the number in Ref., and the
Object Usage window appears displaying the various locations of the referenced
object.

Services

Web cache services define one or more protocols and port numbers associated with each service. Web cache policies
use service definitions to match session types. You can organize related services into service groups to simplify your
policy list.

FortiProxy 7.0 Administration Guide 175

Fortinet Inc.
Policy & Objects

If you need to create a web cache policy for a service that is not in the predefined service list, you can add a custom
service. Custom services are configured in Policy & Objects > Services.

Hover over the leftmost edge of the column heading to display the Configure Table icon, which you can use to select the
columns to display or to reset all the columns to their default settings. You can also drag column headings to change
their order.
The following options are available:

Create New Create an application service, service, service group, or category. See Create or
edit an application service on page 177, Create or edit a service on page 178,
Create or edit a service group on page 180, and Create a service category on
page 183.

Edit Edit the selected service.

Clone Make a copy of the selected service.

Delete Remove the selected custom service. This icon appears only if a service is not
currently being used in a web cache policy.

FortiProxy 7.0 Administration Guide 176

Fortinet Inc.
 Policy & Objects

Category Settings Edit the order in which the categories are displayed in the list when viewing the list
by category.

Search Search for text in any column.

Service Name The name of the custom service.

Details Destination port or ports.

IP/FQDN The IP address or FQDN of the service.

Show in Service List Whether or not the service is shown in the service list.

Ref. Displays the number of times the object is referenced to other objects.
To view the location of the referenced object, select the number in Ref., and the
Object Usage window appears displaying the various locations of the referenced
object.

Comments Optional description of the service.

Protocol The protocol type for the service.

Type The type of service, such as Firewall, Explicit Proxy, or Firewall Group.

Create or edit an application service

Select Create New > Application Service to open the Create Application Service window.

To open the Edit Application Service window, select an application service and then click Edit.
Configure the following settings in the Create Application Service window or Edit Application Service window and then
click OK:

Name Enter a name for the application service.

Proxy Enable or disable the new application service.

Protocol Select the protocol that the application service will use.

FortiProxy 7.0 Administration Guide 177

Fortinet Inc.
 Policy & Objects

Application Service Type Select Disable, Application ID, or Application Category.

Application ID If you selected Application ID, click + to open the Select Entries window. Select
one or more entries and then select Close.

Application category If you selected an Application Service Type of Application category, click + to
open the Select Entries window. Select one or more entries and then select
Close.

TCP Port Range If you selected TCP/UDP/SCTP or ALL, enter a range of TCP ports.

Create or edit a service

Select Create New > Service to open the New Service window.

FortiProxy 7.0 Administration Guide 178

Fortinet Inc.
Policy & Objects

To open the Edit Service window, select a service and then click Edit.
Configure the following settings in the New Service window or Edit Service window and then click OK:

Name Enter a name for the custom service.

Comments Optionally, enter a description of the service.

Service Type Select the service type: Firewall or Explicit Proxy.

Color Select Change to choose a color for the icon.

Show in Service List Enable to show the service in the service list.

Category Select the category for the service: Uncategorized; Application; General; Web
Access; File Access; Email; Network Services; Authentication; Remote Access;
Tunneling, VoIP, Messaging & Other Applications; or Web Proxy.
You can create new service categories. See Create a service category on page
183.

Protocol Type Select the type of protocol for the service.

l If Service Type is Firewall, select one of: TCP/UDP/SCTP, ICMP, ICMP6, or

IP.
l If Service Type is Explicit Proxy, select one of: ALL, CONNECT, FTP, HTTP,
SOCKS_TCP, or SOCKS_UDP.

Address Select IP Range or FQDN and then enter the range of IP addresses or the FQDN
for the service. Separate IP addresses with a hyphen.

Destination Port Select TCP, UDP, or SCTP and then enter a range of port numbers.

Specify Source Ports Enable and then enter a range of port numbers.

Type Enter the ICMP type number for the ICMP protocol configuration.
This option is only available if Protocol Type is set to ICMP or ICMP6.

Code Enter the ICMP code number for the ICMP protocol configuration.
This option is only available if Protocol Type is set to ICMP or ICMP6.

Protocol Number Enter the protocol number for the IP protocol configuration.
This option is only available if Protocol Type is set to IP.

API Preview The API Preview allows you to view all REST API requests being used by the
page. You can make changes on the page that are reflected in the API request
preview. This feature is not available if the user is logged in as an administrator
that has read-only GUI permissions.

To use the API Preview:

1. Click API Preview. The API Preview pane opens, and the values for the fields are visible (data). If a new object is
being created, the POST request is shown.
2. Enable Show modified changes only to show the modified changes instead of the full configuration in the preview.
3. Click Copy to Clipboard to copy the JSON code shown on the preview screen to the clipboard.
4. Click Close to leave the preview.

FortiProxy 7.0 Administration Guide 179

Fortinet Inc.
 Policy & Objects

Create or edit a service group

You can organize multiple services into a service group to simplify your policy list. For example, instead of having five
identical policies for five different but related services, you can combine the five services into a single service group that
is used by a single policy.
Service groups cannot contain other service groups.
Configure a service group using the following CLI commands:
config firewall service group
edit <name>
set member // Address group member.
set explicit-proxy // Enable or disable the explicit web proxy service group.
set comment            // Comment.
set color              // GUI icon color.
next
end

Service groups are listed in the Firewall Group category.

Select Create New > Service Group to open the New Service Group window.

FortiProxy 7.0 Administration Guide 180

Fortinet Inc.
Policy & Objects

To open the Edit Service Group window, select a firewall group and then click Edit.
Configure the following settings in the New Service Group window or the Edit Service Group window and then click OK:

Name Enter a name for the service group.

Comments Optionally, enter a description of the service group.

Color Select Change to choose a color for the icon.

Type Select the type of service group, either Firewall or Explicit Proxy.

Members Select the services to add to the service group.

FortiProxy 7.0 Administration Guide 181

Fortinet Inc.
Policy & Objects

API Preview The API Preview allows you to view all REST API requests being used by the
page. You can make changes on the page that are reflected in the API request
preview. This feature is not available if the user is logged in as an administrator
that has read-only GUI permissions.

To use the API Preview:

1. Click API Preview. The API Preview pane opens, and the values for the fields are visible (data). If a new object is
being created, the POST request is shown.
2. Enable Show modified changes only to show the modified changes instead of the full configuration in the preview.
3. Click Copy to Clipboard to copy the JSON code shown on the preview screen to the clipboard.
4. Click Close to leave the preview.

FortiProxy 7.0 Administration Guide 182

Fortinet Inc.
 Policy & Objects

Create a service category

1. Go to Policy & Objects > Services and select Create New > Category.

2. Enter a name for the new category in the Name field.

3. Optionally, enter a description of the category in the Comments field.
4. Click OK to create the new service category.

FortiProxy 7.0 Administration Guide 183

Fortinet Inc.
Policy & Objects

Schedules

When you add security policies on a FortiProxy unit, those policies are always on, policing the traffic through the device.
Schedules control when policies are in effect.
The schedule list lists all of the schedules. Recurring and one-time schedules can be created, edited, and deleted as
needed.
You can create a recurring schedule that activates a policy during a specified period of time. If a recurring schedule has a
stop time that is earlier than the start time, the schedule will take effect at the start time but end at the stop time on the
next day. You can use this technique to create recurring schedules that run from one day to the next. To create a
recurring schedule that runs for 24 hours, set the start and stop times to 00.
You can create one-time schedules, which are schedules that are in effect only once for the period of time specified in
the schedule.
To manage schedules, go to Policy & Objects > Schedules.

Hover over the leftmost edge of the column heading to display the Configure Table icon, which you can use to select the
columns to display or to reset all the columns to their default settings. You can also drag column headings to change
their order.
The following options are available:

Create New Create a schedule or a schedule group. See Create or edit a schedule on page
185 or Create or edit a schedule group on page 187.

Edit Edit the selected schedule or schedule group. See Create or edit a schedule on
page 185 or Create or edit a schedule group on page 187.

Clone Make a copy of the selected schedule or schedule group.

Delete Remove the selected schedule. This icon is only available if the selected schedule
is not currently being used in a policy.

Search Enter a search term to search the schedule list.

Name The name of the schedule.

Days/Members The days of the week that the schedule is configured to be active.

FortiProxy 7.0 Administration Guide 184

Fortinet Inc.
 Policy & Objects

Start The time of day that the schedule is configured to start.

End The time of day that the schedule is configured to end.

Ref. Displays the number of times the object is referenced to other objects.
To view the location of the referenced object, select the number in Ref., and the
Object Usage window appears displaying the various locations of the referenced
object.

Type The type of schedule, either Recurring or One-Time.

Create or edit a schedule

When you add security policies on a FortiProxy unit, those policies are always on, policing the traffic through the device.
Schedules control when policies are in effect.
Select Create New > Scheduleto open the New Schedule window.

FortiProxy 7.0 Administration Guide 185

Fortinet Inc.
Policy & Objects

To open the Edit Schedule window, select a schedule and then click Edit.
Configure the following settings in the New Schedule window or the Edit Schedule window and then click OK:

Type Select Recurring or One- Time.

Name Enter a name for the schedule.

Color Click Change to choose a color for the icon.

Days If you selected a recurring schedule, select the days of the week when the
schedule will be active.

FortiProxy 7.0 Administration Guide 186

Fortinet Inc.
 Policy & Objects

All Day If you selected a recurring schedule and the scheduled time is the whole day,
enable All Day. If the schedule is for specific times during the day, disable All Day.

Start Date If you select a one-time schedule, select the year, month, and day that the
schedule will start. The start date must be earlier than the stop date.

Start Time If you select a recurring schedule and disable All Day of if you select a one-time
schedule, select the start time for the schedule.

End Date If you select a one-time schedule, select the year, month, and day that the
schedule will stop. The end date must be later than the start date.

Stop Time If you select a recurring schedule and disable All Day of if you select a one-time
schedule, select the stop time for the schedule. If the stop time is set earlier than
the start time, the stop time will be during the next day. If the start time is equal to
the stop time, the schedule will run for 24 hours.

Pre-expiration event log If you select a one-time schedule, enable this option to generate an event log
before the schedule expires and then enter the number of days before the
expiration that the event log will be generated, from 1 to 100.

Number of days before If you select a one-time schedule, enter the number of days before the schedule
expires to generate an event log. The range is 1-100 days).

API Preview The API Preview allows you to view all REST API requests being used by the
page. You can make changes on the page that are reflected in the API request
preview. This feature is not available if the user is logged in as an administrator
that has read-only GUI permissions.

To use the API Preview:

1. Click API Preview. The API Preview pane opens, and the values for the fields are visible (data). If a new object is
being created, the POST request is shown.
2. Enable Show modified changes only to show the modified changes instead of the full configuration in the preview.
3. Click Copy to Clipboard to copy the JSON code shown on the preview screen to the clipboard.
4. Click Close to leave the preview.

Create or edit a schedule group

You can organize multiple schedules into a schedule group to simplify your security policy list. For example, instead of
having five identical policies for five different but related schedules, you might combine the five schedules into a single
schedule group that is used by a single security policy.
Schedule groups can contain both recurring and one-time schedules. Schedule groups cannot contain other schedule
groups.
Select Create New > Schedule Groupto open the New Schedule Group window.

FortiProxy 7.0 Administration Guide 187

Fortinet Inc.
Policy & Objects

To open the Edit Schedule Group window, select a schedule group and then click Edit.
Configure the following settings in the New Schedule Group window or the Edit Schedule Group window and then click
OK:

Name Enter the name of the schedule group.

Color Click Change to choose a color for the icon.

Members Select the schedules that you want to have included in the group from the drop-
down menu.

FortiProxy 7.0 Administration Guide 188

Fortinet Inc.
 Policy & Objects

API Preview The API Preview allows you to view all REST API requests being used by the
page. You can make changes on the page that are reflected in the API request
preview. This feature is not available if the user is logged in as an administrator
that has read-only GUI permissions.

To use the API Preview:

1. Click API Preview. The API Preview pane opens, and the values for the fields are visible (data). If a new object is
being created, the POST request is shown.
2. Enable Show modified changes only to show the modified changes instead of the full configuration in the preview.
3. Click Copy to Clipboard to copy the JSON code shown on the preview screen to the clipboard.
4. Click Close to leave the preview.

Virtual IPs

Static Virtual IPs (VIP) are used to map external IP addresses to internal IP addresses. This is also called destination
NAT, where a packet's destination is being NAT'd, or mapped, to a different address.
Static VIPs are commonly used to map public IP addresses to resources behind the FortiProxy unit that use private IP
addresses. A static on-to-one VIP is when the entire port range is mapped. A port forwarding VIP is when the mapping is
configured on a specific port or port range.
To view the virtual IPs, go to Policy & Objects > Virtual IPs.

Hover over the leftmost edge of the column heading to display the Configure Table icon, which you can use to select the
columns to display or to reset all the columns to their default settings. You can also drag column headings to change
their order.
The following options are available:

Create New > Virtual IP Add a new virtual IP. See Create or edit a virtual IP on page 190.

Create New > Virtual IP Group Add a new virtual IP group. See Create or edit a virtual IP group on page 192.

Edit Edit the selected virtual IP or virtual IP group. See Create or edit a virtual IP on
page 190 or Create or edit a virtual IP group on page 192

Delete Remove the selected virtual IP or virtual IP group.

FortiProxy 7.0 Administration Guide 189

Fortinet Inc.
 Policy & Objects

Search Search for text in any column.

Name The name of the virtual IP or virtual IP group.

Interfaces The domain name.

Details The interface to which the virtual IP or virtual IP group is bound.

Comments Optional description of the virtual IP or virtual IP group.

Ref. Displays the number of times the object is referenced to other objects.
To view the location of the referenced object, select the number in Ref., and the
Object Usage window appears displaying the various locations of the referenced
object.

extip External IP address or range for the virtual IP.

Create or edit a virtual IP

Select Create New > Virtual IP to open the Create Virtual IP window.

FortiProxy 7.0 Administration Guide 190

Fortinet Inc.
Policy & Objects

To open the Edit Virtual IP window, select an address and then click Edit.
Configure the following settings in the Create Virtual IP window or the Edit Virtual IP window and then click OK:

Name Enter a unique name for the virtual IP.

Comments Optionally, enter a description of the virtual IP.

Interface Select the interface to which you want to bind the virtual IP. Select any if you want
to bind the virtual IP with the interface when you create a policy.

Port Forwarding Enable or disable. If only the traffic for a specific port or port range is being
forwarded, enable this setting.

Protocol Select TCP, UDP, SCTP, or ICMP for the virtual IP to use.

External service port Enter a port number or a range of port numbers, separated by a hyphen.
This is the port(s) on the external interface of the FortiProxy (the destination port
in the header of the packets).

FortiProxy 7.0 Administration Guide 191

Fortinet Inc.
 Policy & Objects

Map to port Enter the port number.

This will be the listening port on the device located on the internal side of the
network. It does not have to be the same as the external service port.

API Preview The API Preview allows you to view all REST API requests being used by the
page. You can make changes on the page that are reflected in the API request
preview. This feature is not available if the user is logged in as an administrator
that has read-only GUI permissions.

To use the API Preview:

1. Click API Preview. The API Preview pane opens, and the values for the fields are visible (data). If a new object is
being created, the POST request is shown.
2. Enable Show modified changes only to show the modified changes instead of the full configuration in the preview.
3. Click Copy to Clipboard to copy the JSON code shown on the preview screen to the clipboard.
4. Click Close to leave the preview.

To create a virtual IP in the CLI:

config firewall vip

edit "Internal_WebServer"
set extip 10.1.100.199
set extintf "any"
set mappedip "172.16.200.55"
next
end

Create or edit a virtual IP group

Just like other address, Virtual IP addresses can be organized into groups for ease of administration. If you have multiple
virtual IPs that are likely to be associated to common firewall policies rather than add them individually to each of the
policies you can add the instead. That way, if the members of the group change then any changes made to the group will
propagate to all of the policies using that group.
When using a Virtual IP address group the firewall policy will take into account all of the configured parameters of the
Virtual IPs: IP addresses, ports, and port types.
Select Create New > Virtual IP Group to open the Create Virtual IP Group window.

FortiProxy 7.0 Administration Guide 192

Fortinet Inc.
Policy & Objects

To open the Edit Virtual IP Group window, select an address group and then click Edit.
Configure the following settings in the Create Virtual IP Group window or the Edit Virtual IP Group window and then click
OK:

Name Enter a unique name to identify the virtual IP group.

Comments Optionally, enter a description of the virtual IP group.

Interface Use the drop-down menu to select the interface if all of the VIPs are on the same
interface. If any of the VIPS are on different interfaces or if any of them are
associated with the "any" option, choose the any option for the group.

FortiProxy 7.0 Administration Guide 193

Fortinet Inc.
Policy & Objects

Members Select the virtual IPs to add to the virtual IP group.

API Preview The API Preview allows you to view all REST API requests being used by the
page. You can make changes on the page that are reflected in the API request
preview. This feature is not available if the user is logged in as an administrator
that has read-only GUI permissions.

To use the API Preview:

1. Click API Preview. The API Preview pane opens, and the values for the fields are visible (data). If a new object is
being created, the POST request is shown.
2. Enable Show modified changes only to show the modified changes instead of the full configuration in the preview.
3. Click Copy to Clipboard to copy the JSON code shown on the preview screen to the clipboard.
4. Click Close to leave the preview.

IP Pools

IP pools are a mechanism that allow sessions leaving the FortiProxy unit to use NAT. An IP pool defines a single IP
address or a range of IP addresses to be used as the source address for the duration of a session. These assigned
addresses are used instead of the IP address assigned to that FortiProxy interface.
To see which IP pools are configured, go to Policy & Objects > IP Pools.

Hover over the leftmost edge of the column heading to display the Configure Table icon, which you can use to select the
columns to display or to reset all the columns to their default settings. You can also drag column headings to change
their order.
The following options are available:

Create New Create an IP pool. See Create or edit an IP pool on page 195.

Edit Edit the selected IP pool. See Create or edit an IP pool on page 195.

Clone Make a copy of the selected IP pool.

Delete Remove the selected IP pool.

Search Enter a search term to search the IP pool list.

Name The name of the IP pool.

External IP Range The lowest and highest IP addresses in the range.

Comments An optional description of the IP pool.

Ref. Displays the number of times the object is referenced to other objects.

FortiProxy 7.0 Administration Guide 194

Fortinet Inc.
 Policy & Objects

To view the location of the referenced object, select the number in Ref., and the
Object Usage window appears displaying the various locations of the referenced
object.

Create or edit an IP pool

Select Create New to open the New IP Pool window.

To open the Edit IP Pool window, select an IP pool and then click Edit.
Configure the following settings in the New IP Pool window or Edit IP Pool window and then click OK:

To create an IP pool:

IP Pool Type Select IPv4 Pool if your IP pool contains IPv4 addresses or select IPv6 Pool if
your IP pool contains IPv6 addresses.

Name Enter a name for the IP pool in the Name field.

Comments Add an optional description of the IP pool.

External IP address/range Enter the lowest and highest IP addresses in the range. Separate IP addresses
with a hyphen. If you only want a single address used, enter the same address in
both fields.

API Preview The API Preview allows you to view all REST API requests being used by the
page. You can make changes on the page that are reflected in the API request
preview. This feature is not available if the user is logged in as an administrator
that has read-only GUI permissions.

FortiProxy 7.0 Administration Guide 195

Fortinet Inc.
 Policy & Objects

To use the API Preview:

1. Click API Preview. The API Preview pane opens, and the values for the fields are visible (data). If a new object is
being created, the POST request is shown.
2. Enable Show modified changes only to show the modified changes instead of the full configuration in the preview.
3. Click Copy to Clipboard to copy the JSON code shown on the preview screen to the clipboard.
4. Click Close to leave the preview.

ZTNA

Zero Trust Network Access (ZTNA) is an access control method that uses client device identification, authentication, and
Zero Trust tags to provide role-based application access. It gives administrators the flexibility to manage network access
for On-net local users and Off-net remote users. Access to applications is granted only after device verification,
authenticating the user’s identity, authorizing the user, and then performing context based posture checks using Zero
Trust tags.
Traditionally, a user and a device have different sets of rules for on-net access and off-net VPN access to company
resources. With a distributed workforce and access that spans company networks, data centers, and cloud, managing
the rules can become complex. User experience is also affected when multiple VPNs are needed to get to various
resources.

Full ZTNA and IP/MAC filtering

ZTNA has two modes: Full ZTNA and IP/MAC filtering:

l Full ZTNA allows users to securely access resources through a SSL encrypted access proxy. This simplifies remote
access by eliminating the use of VPNs.
l IP/MAC filtering uses ZTNA tags to provide an additional factor for identification and security posture check to
implement role-based zero trust access.

ZTNA telemetry, tags, and policy enforcement

When On-net and Off-net FortiClient endpoints register to FortiClient EMS, device information, log on user information,
and security posture are all shared over ZTNA telemetry with the EMS server. Clients also make a certificate signing
request to obtain a client certificate from the EMS that is acting as the ZTNA Certificate Authority (CA).
Based on the client information, EMS applies matching Zero Trust tagging rules to tag the clients. These tags, and the
client certificate information, are synchronized with the FortiProxy unit in real-time. This allows the FortiProxy unit to
verify the client's identity using the client certificate, and grant access based on the ZTNA tags applied in the ZTNA rule.
EMS ZTNA and endpoint tags are displayed in the Device Inventory widget, FortiClient widget, and the Asset Identity
Center page. In the backend, EMS ZTNA tags, endpoint tags, and EMS serial numbers are in the user device query API
and response.

The ZTNA tag name can be used as a search criterion in the Asset view of the Asset Identity
Center page.

FortiProxy 7.0 Administration Guide 196

Fortinet Inc.
 Policy & Objects

Access proxy

The FortiProxy access proxy can proxy HTTP and TCP traffic over secure HTTPS connections with the client. This
enables seamless access from the client to the protected servers, without needing to form IPsec or SSL VPN tunnels.

HTTPS access proxy

The FortiProxy HTTPS access proxy works as a reverse proxy for the HTTP server. When a client connects to a
webpage hosted by the protected server, the address resolves to the FortiProxy unitʼs access proxy VIP. The FortiProxy
unit proxies the connection and takes steps to authenticate the user. It prompts the user for their certificate on the
browser, and verifies this against the ZTNA endpoint record that is synchronized from the EMS. If an authentication
scheme, such as SAML authentication, is configured, the client is redirected to a captive portal for sign-on. If this passes,
traffic is allowed based on the ZTNA rules, and the FortiProxy unit returns the webpage to the client.

TCP forwarding access proxy (TFAP)

TCP forwarding access proxy works as a special type of HTTPS reverse proxy. Instead of proxying traffic to a web
server, TCP traffic is tunneled between the client and the access proxy over HTTPS, and forwarded to the protected
resource. The FortiClient endpoint configures the ZTNA connection by pointing to the proxy gateway, and then
specifying the destination host that it wants to reach. An HTTPS connection is made to the FortiProxy unitʼs access proxy
VIP, where the client certificate is verified and access is granted based on the ZTNA rules. TCP traffic is forwarded from
the FortiProxy to the protected resource, and an end-to-end connection is established.

Basic requirements for ZTNA configuration

The following are the basic requirements for configuring full ZTNA on the FortiProxy unit:
l FortiClient EMS fabric connector and ZTNA tags.
l FortiClient EMS running version 7.0.0 or later.
l FortiClient running 7.0.0 or later.
l ZTNA server
l ZTNA rule
l Firewall policy
For configuration details, see Basic ZTNA configuration on page 197.

Basic ZTNA configuration

To deploy full ZTNA, configure the following components on the FortiProxy unit:
1. Configure a FortiClient EMS connector on page 198
2. Configure a ZTNA server on page 200
3. Configure a ZTNA rule on page 204
4. Configure a firewall policy for full ZTNA on page 206
5. Optional authentication on page 208

FortiProxy 7.0 Administration Guide 197

Fortinet Inc.
Policy & Objects

To configure ZTNA in the GUI, go to System > Feature Visibility and enable Zero Trust
Network Access.

Configure a FortiClient EMS connector

To add an on-premise FortiClient EMS server in the GUI:

1. Go to Security Fabric > Fabric Connectors.

2. Click Create New and click FortiClient EMS.
3. Enter a name for the connector and the IP address or FQDN of the EMS.
4. Click OK.
5. A window appears to verify the EMS server certificate. Click Accept.

To add an on-premise FortiClient EMS server in the CLI:

config endpoint-control fctems

edit <name>
set server <server IP or domain>
next
end

ZTNA tags

After the FortiProxy unit connects to the FortiClient EMS, it automatically synchronizes ZTNA tags.

To view the synchronized ZTNA tags in the GUI:

1. Go to Policy & Objects > ZTNA and select the ZTNA Tags tab.
2. Hover the cursor over a tag name to view more information about the tag, such as its resolved addresses.

FortiProxy 7.0 Administration Guide 198

Fortinet Inc.
Policy & Objects

To create a ZTNA tag group in the GUI:

1. Go to Policy & Objects > ZTNA and select the ZTNA Tags tab.
2. Click Create New Group.
3. Enter a name for the group and select the group members.

4. Click OK.

To create a ZTNA tag group in the CLI:

config firewall addrgrp

edit <group name>
set category ztna-ems-tag
set member <members>
next
end

FortiProxy 7.0 Administration Guide 199

Fortinet Inc.
Policy & Objects

Configure a ZTNA server

To configure a ZTNA server, define the access proxy VIP and the real servers that clients will connect to. The access
proxy VIP is the FortiProxy ZTNA gateway that clients make HTTPS connections to. The service/server mappings define
the virtual host matching rules and the real server mappings of the HTTPS requests.

To create a ZTNA server and access proxy VIP in the GUI:

1. Go to Policy & Objects > ZTNA and select the ZTNA Servers tab.
2. Click Create New.
3. Enter a name for the server.
4. Select an external interface, enter the external IP address, and select the external port that the clients will connect
to.
5. Select the Default certificate. Clients will be presented with this certificate when they connect to the access proxy
VIP.

6. Add server mapping:

FortiProxy 7.0 Administration Guide 200

Fortinet Inc.
Policy & Objects

a. In the Service/server mapping table, click Create New.

b. Set Virtual Host to Any Host or Specify.
l Any Host: Any request that resolves to the access proxy VIP will be mapped to your real servers. For

example, if both www.example1.com and www.example2.com resolve to the VIP, then both requests are
mapped to your real servers.
l Specify: Enter the name or IP address of the host that the request must match. For example, if

www.example1.com is entered as the host, then only requests to www.example1.com will match.
c. Configure the path as needed.
The path can be matched by substring, wildcard, or regular expression. For example, if the virtual host is
specified as www.example1.com, and the path substring is map1, then www.example1/map1 will be matched.

FortiProxy 7.0 Administration Guide 201

Fortinet Inc.
Policy & Objects

FortiProxy 7.0 Administration Guide 202

Fortinet Inc.
Policy & Objects

d. Add a server:
i. In the Servers table, click Create New.
ii. Enter the server IP address and port number.
iii. Set the server status.
iv. Click OK.
v. Add more servers as needed.
e. Click OK.
f. Add more server mappings as needed.
7. Click OK.

To create a ZTNA server and access proxy VIP in the CLI:

1. Configure an access proxy VIP:

config firewall vip
edit <name>
set type access-proxy
set extip <external_IP_address>
set extintf <external interface>
set server-type https
set extport <external_port_number>
set ssl-certificate <certificate>
next
end

2. If the virtual host is specified, configure the virtual host:

config firewall access-proxy-virtual-host
edit <auto generated when configured from GUI>
set ssl-certificate <certificate>
set host <host_name_or_IP_address>
set host-type {sub-string | wildcard}
next
end

3. Configure the server and path mapping:

config firewall access-proxy
edit <name>
set vip <virtual_IP_name>
set client-cert {enable | disable}
set empty-cert-action {accept | block}
config api-gateway
edit 1
set url-map <mapped_path>
set service {http | https | tcp-forwarding | samlsp}
set virtual-host <name_of_virtual_host_if_specified>
set url-map-type {sub-string | wildcard | regex}
config realservers
edit 1
set ip <IP_address_of_real_server>
set port <port>
set status {active | standby | disable}
set health-check {enable | disable}
next

FortiProxy 7.0 Administration Guide 203

Fortinet Inc.
Policy & Objects

end
set ldb-method static
set persistence none
set ssl-dh-bits 2048
set ssl-algorithm high
set ssl-min-version tls-1.1
set ssl-max-version tls-1.3
next
end
next
end

The load balance method for the real servers can only be specified in the CLI.

Configure a ZTNA rule

A ZTNA rule is a proxy policy used to enforce access control. ZTNA tags or tag groups can be defined to enforce zero
trust role based access. Security profiles can be configured to protect this traffic.

To configure a ZTNA rule in the GUI:

1. Go to Policy & Objects > ZTNA and select the ZTNA Rules tab.
2. Click Create New.
3. Enter a name for the rule.
4. Add the ZTNA tags or tag groups that are allowed access.

FortiProxy 7.0 Administration Guide 204

Fortinet Inc.
Policy & Objects

5. Select the ZTNA server.

6. Configure the remaining options as needed.

7. Click OK.

FortiProxy 7.0 Administration Guide 205

Fortinet Inc.
Policy & Objects

To configure a ZTNA rule in the CLI:

config firewall policy

edit 1
set type access-proxy
set name <ZTNA rule name>
set access-proxy <access_proxy>
set srcaddr "all"
set dstaddr "all"
set ztna-ems-tag <ZTNA_tag(s)>
set action accept
set schedule "always"
set logtraffic all
set utm-status enable
set ssl-ssh-profile <inspection_profile>
next
end

Configure a firewall policy for full ZTNA

The firewall policy matches and redirects client requests to the access proxy VIP. The source interface and addresses
that are allowed access to the VIP can be defined. By default, the destination is any interface, so once a policy is
configured for full ZTNA, the policy list will be organized by sequence.
UTM processing of the traffic happens at the ZTNA rule.

To configure a firewall policy for full ZTNA in the GUI:

1. Go to Policy & Objects > Policy and click Create New.

2. Enter a name for the policy.
3. Enable ZTNA and select Full ZTNA.

FortiProxy 7.0 Administration Guide 206

Fortinet Inc.
Policy & Objects

4. Set ZTNA Server to the configured ZTNA server.

5. Configure the remaining settings as needed.

6. Click OK.

To configure a firewall policy for full ZTNA in the CLI:

config firewall policy

edit <policy ID>

FortiProxy 7.0 Administration Guide 207

Fortinet Inc.
Policy & Objects

set name <policy_name>

set srcintf <source_interface>
set dstintf "any"
set srcaddr <source_address>
set dstaddr <access_proxy_virtual_IP>
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
next
end

Optional authentication

To configure authentication to the access proxy, you must configure an authentication scheme and authentication rule in
the CLI. They are used to authenticate proxy-based policies, similar to configuring authentication for explicit and
transparent proxy.
The authentication scheme defines the method of authentication that is applied. For ZTNA, basic HTTP and SAML
methods are supported. Each method has additional settings to define the data source to check against. For example,
with basic HTTP authentication, a user database can reference an LDAP server, RADIUS server, local database, or
other supported authentication servers that the user is authenticated against.
The authentication rule defines the proxy sources and destinations that require authentication, and which authentication
scheme to apply. For ZTNA, active authentication method is supported. The active authentication method references a
scheme where users are actively prompted for authentication, like with basic authentication.
After the authentication rule triggers the method to authenticate the user, a successful authentication returns the groups
that the user belongs to. In the ZTNA rule and proxy policy you can define a user or user group as the allowed source.
Only users that match that user or group are allowed through the proxy policy.

To configure a basic authentication scheme:

config authentication scheme

edit <name>
set method basic
set user-database <authentication_server>
next
end

To configure an authentication rule:

config authentication rule

edit <name>
set status enable
set protocol http
set srcintf <interface>
set srcaddr <address>
set dstaddr <address>
set ip-based enable
set active-auth-method <active_authentication_scheme>
next
end

FortiProxy 7.0 Administration Guide 208

Fortinet Inc.
 Policy & Objects

To apply a user group to a ZTNA rule in the GUI:

1. Go to Policy & Objects > ZTNA and select the ZTNA Rules tab.
2. Edit an existing rule or click Create New to create a new rule.
3. Click in the Source field, select the User tab, and select the users and user groups that will be allowed access.
4. Configure the remaining settings as required.
5. Click OK.

To apply a user group to a ZTNA rule in the CLI:

config firewall policy

edit <policy ID>
set name <ZTNA rule name>
set type access-proxy
set access-proxy <access proxy>
set srcaddr "all"
set dstaddr "all"
set ztna-ems-tag <ZTNA tags>
set action accept
set schedule "always"
set logtraffic all
set groups <user group>
set utm-status enable
set ssl-ssh-profile <inspection profile>
next
end

The authentication rule and scheme defines the method used to authenticate users. With basic HTTP authentication, a
sign in prompt is shown after the client certificate prompt. After the authentication passes, the returned groups that the
user is a member of are checked against the user groups that are defined in the ZTNA rule. If a group matches, then the
user is allowed access after passing a posture check.

Connect a ZTNA access proxy to an SSL VPN web portal

SSL VPN web portals can be defined in ZTNA access proxy settings. The ZTNA access proxy handles the access
control processes (client certificate authentication, posture check, user authentication and authorization), and
establishes the HTTPS connection between the end user and the access proxy. Then, it forwards the user to the web
portal where they can use predefined bookmarks to access TCP based services like HTTPS, RDP, VNC, FTP, SFTP,
SSH, Telnet, and SMB. Existing SSL VPN portal configurations can be used.

The web portal service can only be configured in the CLI.

Example

In this example, a remote client connects to the ZTNA access proxy and completes the client certificate check. If
successful, the remaining access control procedures are automatically completed, and the user is forwarded to the web

FortiProxy 7.0 Administration Guide 209

Fortinet Inc.
Policy & Objects

portal. The web portal is configured with predefined bookmarks that connect to internal servers and external websites.
The user can access any resource that is defined in the bookmarks to create an end-to-end connection.

To configure the SSL VPN web portal:

1. Go to VPN > SSL-VPN Portals and click Create New.

2. Enter the name test_ssl.
3. Disable Tunnel Mode.
4. Enable Web Mode.
5. Create the bookmarks:
a. In the Predefined Bookmarks table click Create New.
b. Enter the name of the service.
c. Select the service Type.
d. Enter the URL to access the service.
e. Click OK.
f. Repeat these steps to create other bookmarks.
6. Click OK.

To configure the ZTNA access proxy:

1. Configure a VIP for the ZTNA access proxy. The ssl-certificate can be replaced with a server certificate:
config firewall vip
edit "ztna_webportal"
set type access-proxy
set extip 172.18.62.68
set extintf "any"
set server-type https
set extport 4443
set ssl-certificate "*.test.com"
next
end

2. Configure the virtual host to be used to connect to the ZTNA access proxy. The host should resolve to the VIP’s
address:
config firewall access-proxy-virtual-host
edit "webportal"
set ssl-certificate "*.test.com"
set host "web.test.com"
next
end

3. Configure the ZTNA access proxy to be in web portal mode:

config firewall access-proxy
edit "ztna_webportal"
set vip "ztna_webportal"
set client-cert enable
config api-gateway
edit 1
set url-map "/webportal"
set service web-portal
set virtual-host "webportal"

FortiProxy 7.0 Administration Guide 210

Fortinet Inc.
Policy & Objects

set ssl-vpn-web-portal "test_ssl"

next
end
next
end

4. Apply the access proxy to a proxy policy (specify the ZTNA tags as needed):
config firewall proxy-policy
edit 1
set name "ztna_rule"
set proxy access-proxy
set access-proxy "ztna_webportal"
set srcintf "any"
set srcaddr "all"
set dstaddr "all"
set ztna-ems-tag "FCTEMS8821000000_High"
set action accept
set schedule "always"
set logtraffic all
set srcaddr6 "all"
set dstaddr6 "all"
set utm-status enable
set profile-type group
set profile-group "profile group1"
set logtraffic-start enable
next
end

The SSL VPN bookmarks are learned by the WAD daemon and are ready to use.
5. Verify the bookmarks:
# diagnose test app wad 351
[bookmark: (portal/group/name=test_ssl/gui-bookmarks/2nd HTTP)]:
type :1
url :http://httpbin.org
host :
folder:
domain:
port :0
[bookmark: (portal/group/name=test_ssl/gui-bookmarks/FTP)]:
type :4
url :
host :
folder:172.16.200.215
domain:
port :0
[bookmark: (portal/group/name=test_ssl/gui-bookmarks/HTTPS-fortinet)]:
type :1
url :https://www.fortinet.com
host :
folder:
domain:
port :0
[bookmark: (portal/group/name=test_ssl/gui-bookmarks/RDP)]:
type :9
url :

FortiProxy 7.0 Administration Guide 211

Fortinet Inc.
Policy & Objects

host :172.18.62.213
folder:
domain:
port :3389
…

To test the connection:

1. From the client browser, go to https://web.test.com:4443/webportal to access the ZTNA access proxy web portal.

2. Once the client passes the certificate check, posture check, and access is granted, the user is redirected to the web
portal. The list of predefined bookmarks appears.

3. Click a bookmark, such as HTTPS-fortinet. The website opens.

FortiProxy 7.0 Administration Guide 212

Fortinet Inc.
 Policy & Objects

4. From the web portal, click another bookmark, such as SSH. The page opens with the credential login screen to
access the server.

UTM scanning on TCP forwarding access proxy traffic

UTM scanning and deep inspection is supported for multiple protocols in a ZTNA TCP forwarding access proxy. In
addition to HTTP and HTTPS, the mail protocols (SMTP, IMAP, and POP3) and file sharing protocols (SMB and CIFS)
are supported.

FortiProxy 7.0 Administration Guide 213

Fortinet Inc.
Policy & Objects

Examples

AV scanning for normal POP3, IMAP, and SMTP traffic

To configure AV scanning for normal POP3, IMAP, and SMTP traffic:

1. In FortiClient, add ZTNA connection rules for the email server IP and POP3, IMAP, and SMTP ports.

2. On the FortiProxy, configure the ZTNA TCP forwarding server to add the email server address and enable AV
profile scanning in the ZTNA rules.
3. On the client PC, open Outlook app and send emails with attachments containing virus affected files.
4. The ZTNA rule on the FortiProxy blocks the email send/receive traffic and generates AV logs.

AV deep scanning for SSL encrypted POP3S, IMAPS, and SMTPS traffic

To configure AV deep scanning for SSL encrypted POP3S, IMAPS, and SMTPS traffic:

1. In FortiClient, add ZTNA connection rules for the email server IP and POP3S, IMAPS, and SMTPS ports.

2. On the FortiProxy, configure the ZTNA TCP forwarding server to add the email server address and enable AV
profile scanning in the ZTNA rules.

FortiProxy 7.0 Administration Guide 214

Fortinet Inc.
 Policy & Objects

3. On the client PC, open Outlook app and send emails with attachments containing virus affected files.
4. The ZTNA rule on the FortiProxy blocks the email send/receive traffic and generates AV logs.

AV scanning for SMB service traffic

To configure AV scanning for SMB service traffic:

1. In FortiClient, add ZTNA connection rules for the SMB file sharing server IP and ports.

2. On the FortiProxy, configure the ZTNA TCP forwarding server to add the SMB server address and enable AV profile
scanning in the ZTNA rules.
3. On the client PC, upload and download virus affected files to and from the SMB server.
4. The ZTNA rule on the FortiProxy blocks the email send/receive traffic and generates AV logs.

File filter scanning for CIFS service traffic

To configure file filter scanning for CIFS service traffic:

1. In FortiClient, add ZTNA connection rules for the CIFS server IP and port.
2. On the FortiProxy, configure the ZTNA TCP forwarding server to add the CIFA server address and enable file filter
profile scanning in the ZTNA rules.
3. On the client PC, upload and download predefined file types (such as .EXE) to and from the CIFS server.
4. The ZTNA rule on the FortiProxy blocks the email send/receive traffic and generates AV logs.

Increase ZTNA and EMS tag limits - 7.0.4

The following limits have increased for EMS server, IP addresses, and MAC addresses in EMS and ZTNA tags:
l The maximum number of EMS servers a FortiProxy can connect to increased from three to five.
l The maximum number of IP address an EMS tag can resolve increased from 1000 to over 100,000.

FortiProxy 7.0 Administration Guide 215

Fortinet Inc.
 Policy & Objects

l The maximum number of MAC address an EMS tag can resolve increased from 1000 to 3000.
The following diagnose commands are available to verify address information:
# diagnose firewall fqdn <option>

Option Description
list-ip List IP FQDN information.
list-mac List MAC FQDN information.
list-all List FQDN information.
getinfo-ip Get information of IP FQDN address.
getinfo-mac Get information of MAC FQDN address.
get-ip Get and display one IP FQDN address.
get-mac Get and display one MAC FQDN address.

Use FQDN with ZTNA TCP forwarding access proxy

When defining ZTNA connection rules on FortiClient for TCP forwarding, it is sometimes desirable to configure the
destination host address as an FQDN address instead of an IP address. Since the real servers are often servers in the
corporate network, this layer of obfuscation prevents internal IPs from easily leaking to the public, and also makes the
destination more easily recognizable by the end users.
One obstacle to overcome is getting remote hosts to resolve an internal FQDN that is typically only resolvable by an
internal DNS in the corporate network. This can be solved with the following:
1. When an FQDN address is added as a destination host in a ZTNA connection rule, FortiClient creates a virtual IP for
this FQDN address and adds this to the computer’s host file (Windows). The same is true when a ZTNA connection
rule entry is pushed from EMS.
2. The virtual IP mapped to the FQDN address is not the real address of the server. It allows applications to resolve the
FQDN address to this virtual IP. FortiClient listens to any traffic destined for it and forwards the traffic using the TCP
forwarding URL with FQDN to the ZTNA access proxy.
3. The access proxy will resolve the FQDN using the internal DNS on the corporate network, matching the traffic to the
ZTNA real server configuration with the same domain and address.
4. If a valid ZTNA real server entry is found, traffic is forwarded to the real server.

This features requires a minimum FortiClient and FortiClient EMS version of 7.0.3.

Example

In this example, two servers in the internal network are added for TCP forwarding. The remote client configures two
ZTNA connection rules, with the destination host field pointing to the FQDN addresses of the internal servers. These
FQDN addresses are configured in the FortiProxy’s DNS database so that they can be resolved by the FortiProxy. It is
recommended to use an internal DNS server for production environments.
This example assumes that the EMS Fabric connector is already successfully connected.

FortiProxy 7.0 Administration Guide 216

Fortinet Inc.
Policy & Objects

To configure the TCP forwarding access proxy:

1. Go to Policy & Objects > ZTNA and select the ZTNA Servers tab.
2. Click Create New.
3. Set Name to ZTNA_S1.
4. Configure the network settings:
a. Set External interface to any.
b. Set External IP to 172.18.62.32.
c. Set External port to 443.
5. Select the Default certificate. Clients will be presented with this certificate when they connect to the access proxy
VIP.
6. Add server mapping:
a. In the Service/server mapping table, click Create New.
b. For Service, select TCP Forwarding.
c. Add a server:
i. In the Servers table click Create New.
ii. Create a new FQDN address for the HTTPS server at s27.qa.fortinet.com, then click OK.
iii. Apply the new address object as the address for the new server.
iv. Click OK.
d. Add another server using the same steps for s29.qa.fortinet.com.
7. Click OK. Now that the ZTNA server is complete, the domain settings must be configured in the CLI to map domains
to the real servers.

To map domains to the real servers:

config firewall access-proxy

edit "ZTNA_S1"
set vip "ZTNA_S1"
set client-cert enable
config api-gateway
edit 2
set url-map "/tcp"
set service tcp-forwarding
config realservers 
edit 4
set address "s27.qa.fortinet.com"
set domain "qa.fortinet.com"
next
edit 5
set address "s29.qa.fortinet.com"
set domain "qa.fortinet.com"
next
end
next
end
next
end

FortiProxy 7.0 Administration Guide 217

Fortinet Inc.
Policy & Objects

To configure the ZTNA rule:

1. Go to Policy & Objects > ZTNA and select the ZTNA Rules tab.
2. Click Create New.
3. Set Name to ZTNA_TCP.
4. Set Incoming Interface to port2.
5. Set Source to all.
6. Select the ZTNA server ZTNA_S1.
7. Configure the remaining options as needed.
8. Click OK.

To configure the DNS entries for each server:

1. Enable the DNS database visibility:

a. Go to System > Feature Visibility.
b. Enable DNS Database.
c. Click Apply.
2. Go to Network > DNS Service.
3. In DNS Database table click Create New.
4. Set DNS Zone to ZTNA.
5. Set Domain Name to qa.fortinet.com.
6. Add the DNS entries:
a. In DNS Entries table click Create New.
b. Set Hostname to s27.
c. Set IP Address to the HTTPS server address.
d. Click OK.
e. Add another DNS entry using the same steps for the s29.qa.fortinet.com HTTP server.
7. Click OK.

Testing the connection to the access proxy

Before connecting, users must have a ZTNA connection rule in FortiClient.

ZTNA TCP forwarding rules can be provisioned from the EMS server. See Provisioning ZTNA
TCP forwarding rules via EMS for more details.

To create the ZTNA rules in FortiClient and connect:

1. From the ZTNA Connection Rules tab, click Add Rule.

2. Create a rule for the HTTPS server:
a. Set Rule Name to server27.
b. Set Destination Host to s27.qa.fortinet.com:443.
c. Set Proxy Gateway to 172.18.62.32:443.

FortiProxy 7.0 Administration Guide 218

Fortinet Inc.
Policy & Objects

d. Disable Encryption.
e. Click Create.
3. Create a rule for the HTTP server:
a. Set Rule Name to server29.
b. Set Destination Host to s29.qa.fortinet.com:80.
c. Set Proxy Gateway to 172.18.62.32:443.
d. Disable Encryption.
e. Click Create.
4. Upon creating the ZTNA rules, two new entries are added to the Windows PC’s host file in folder
C:\Windows\System32\drivers\etc. View the file, and observe the new entries for the virtual IP and FQDN pairing for
each ZTNA connection rule.
# ----- FORTICLIENT ZTNA VIP START -----
10.235.0.1 s27.qa.fortinet.com
10.235.0.2 s29.qa.fortinet.com
# ----- FORTICLIENT ZTNA VIP END -----

5. The Windows PC now resolves the FQDNs to the virtual IPs, and FortiClient will listen to the traffic to these IPs and
forward them to the TCP access proxy.
6. Have the remote user connect to the HTTPS and HTTP servers on a browser. After device verification, the user is
able to successfully connect to the remote servers.

FortiProxy 7.0 Administration Guide 219

Fortinet Inc.
Security Profiles

The FortiProxy unit combines a number of security features to protect your network from threats. As a whole, these
features, when included in a single Fortinet security appliance, are referred to as security profiles.
A profile is a group of settings that you can apply to one or more firewall policies. Each Security Profile feature is enabled
and configured in a profile, list, or sensor. These are then selected in a security policy and the settings apply to all traffic
matching the policy. For example, if you create an antivirus profile that enables antivirus scanning of HTTP traffic, and
select the antivirus profile in the security policy that allows your users to access the World Wide Web, all of their web
browsing traffic will be scanned for viruses.
Because you can use profiles in more than one security policy, you can configure one profile for the traffic types handled
by a set of firewall policies requiring identical protection levels and types, rather than repeatedly configuring those same
profile settings for each individual security policy.
For example, while traffic between trusted and untrusted networks might need strict protection, traffic between trusted
internal addresses might need moderate protection. To provide the different levels of protection, you might configure two
separate sets of profiles: one for traffic between trusted networks, and one for traffic between trusted and untrusted
networks. FortiProxy does not modify the original payload if no security action is taken.
This section covers the following topics:
l AntiVirus on page 223
l Web Filter on page 230
l Video Filter on page 239
l DNS Filter on page 242
l Application Control on page 247
l Intrusion Prevention on page 253
l File Filter on page 256
l Email Filter on page 259
l Web Application Firewall on page 262
l SSL/SSH Inspection on page 266
l Application Signatures on page 275
l IPS Signatures on page 278
l Web Rating Overrides on page 281
l Web Profile Overrides on page 283
l Profile Groups on page 286
l Data Leak Prevention on page 287
l DLP File Pattern on page 298
The following are brief descriptions of the security profiles and their features.

Antivirus

Your FortiProxy unit stores a virus signature database that can identify more than 15,000 individual viruses. FortiProxy
models that support additional virus databases are able to identify hundreds of thousands of viruses. With a FortiGuard
Antivirus subscription, the signature databases are updated whenever a new threat is discovered.

FortiProxy 7.0 Administration Guide 220

Fortinet Inc.
Security Profiles

Antivirus also includes file filtering. When you specify files by type or by file name, the FortiProxy unit will block the
matching files from reaching your users.
FortiProxy units with a hard drive or configured to use a FortiAnalyzer unit can store infected and blocked files that you
can examine later.

Web filter

Web filtering includes a number of features you can use to protect or limit your users’ activity on the web.
FortiGuard Web Filtering is a subscription service that allows you to limit access to web sites. More than 60 million web
sites and two billion web pages are rated by category. You can choose to allow or block each of the 77 categories.
URL filtering can block your network users from access to URLs that you specify.
Web content filtering can restrict access to web pages based on words and phrases appearing on the web page itself.
You can build lists of words and phrases, each with a score. When a web content list is selected in a web filter profile, you
can specify a threshold. If a user attempts to load a web page and the score of the words on the page exceeds the
threshold, the web page is blocked.
You can create overrides to web filter profiles as well.

Video filter

With the video filter profile, you can filter YouTube videos by channel ID for a more granular override of a single channel,
user, or video. The video filter profile is currently supported in proxy-based policies and requires SSL deep inspection.

DNS filter

The FortiProxy will inspect DNS traffic to any DNS server, so long as the policy has DNS inspection enabled. The
FortiProxy will intercept DNS requests, regardless of the destination IP, and redirect it to the FortiGuard Secure DNS
server—this is separate from the FortiGuard DNS server.
The Secure DNS server will resolve and rate the FQDN and send a DNS response which includes both IP and rating of
the FQDN back to the FortiProxy, where it will handle the DNS response according to the DNS filter profile.

Application control

Although you can block the use of some applications by blocking the ports they use for communications, many
applications do not use standard ports to communicate. Application control can detect the network traffic of more than
1,000 applications, improving your control over application communication.
You can also write custom signatures tailored to your network.

Intrusion protection

The FortiProxy Intrusion Protection System (IPS) protects your network against hacking and other attempts to exploit
vulnerabilities of your systems. More than 3,000 signatures are able to detect exploits against various operating
systems, host types, protocols, and applications. These exploits can be stopped before they reach your internal network.
You can also write custom signatures tailored to your network.

FortiProxy 7.0 Administration Guide 221

Fortinet Inc.
 Security Profiles

File filter

The file filter allows the FortiProxy unit to block files passing through based on file type based on the fileʼs metadata only
and not on file size or file content. A DLP sensor must be configured to block files based on size or content, such as SSN
numbers, credit card numbers, or regular expression pattern. The file filter can be applied directly to firewall policies.

Email filter

Email filters perform spam detection and filtering. You can customize the default profile or create your own and apply it to
a firewall policy.

Web application firewall

Web application firewall (WAF) profiles can detect and block known web application attacks. You can configure WAF
profiles to use signatures and constraints to examine web traffic. You can also enforce an HTTP method policy, which
controls the HTTP method that matches the specified pattern.

SSL/SSH inspection

SSL/SSH inspection (otherwise known as deep inspection) is used to scan HTTPS traffic in the same way that HTTP
traffic can be scanned. This allows the FortiProxy to receive and open up the encrypted traffic on behalf of the client, then
the traffic is re-encrypted and sent on to its intended destination.
Individual Deep Inspection profiles can be created, depending on the requirements of the policy. Depending on the
profile, you can:
l Configure which CA certificate will be used to decrypt the SSL encrypted traffic
l Configure which SSL protocols will be inspected
l Configure which ports will be associated with which SSL protocols for inspection
l Configure whether or not to allow invalid SSL certificates
l Configure whether or not SSH traffic will be inspected

Data leak prevention

Data leak prevention (DLP) allows you to define the format of sensitive data. The FortiProxy unit can then monitor
network traffic and stop sensitive information from leaving your network. Rules for U.S. social security numbers,
Canadian social insurance numbers, as well as Visa, Mastercard, and American Express card numbers are included.

Order of execution of security profiles

1. Check the IP ban of the UTM quarantine.

2. For transparent HTTPS traffic, process TLS ClientHello with/without SNI:
a. Check the firewall policy to determine what to allow or deny and which security profiles to apply, including TLS
inspection mode, forwarding proxy, and so on.
b. Check the TLS exemption of deep inspection if necessary.
c. Check the URL filtering of the web-filtering profile based on hosts learned from TLS negotiation and whether
web-filter-based exemptions need to be applied.

FortiProxy 7.0 Administration Guide 222

Fortinet Inc.
Security Profiles

d. Apply TLS sanity checks.

e. If no deep inspection is needed, forward the traffic back and force with only possible IPS scans.
3. Process the HTTP request headers for plantext HTTP or decrypted HTTPS traffic:
a. Check the firewall policy on the HTTP request to determine whether to allow or deny and which security profiles
to apply:
i. Check the TLS inspection mode for the HTTP CONNECT request.
ii. Determine the forwarding proxy for plantext HTTP.
b. Check the URL filtering of the web-filtering profile based on the URL in the HTTP request.
c. Apply the video filter profile if necessary.
d. Apply the web application profile (WAF) on the HTTP headers if necessary.
e. Apply the web proxy profile to the HTTP request header.
f. Perform a botnet check in the IPS profile if necessary.
g. Apply the ICAP profile to forward the HTTP request headers to the ICAP server.
h. Apply the IPS sensor and Application Control profiles to the HTTP request headers.
4. Process the HTTP request streaming data of the body if the body exists:
a. Apply the web application profile (WAF) on the HTTP request body if necessary.
b. Apply the stream-based file filtering, web content filtering, and antivirus scanning.
c. Apply the IPS sensor and Application Control profiles to the HTTP request body.
d. Apply the ICAP profile to forward the HTTP request body to the ICAP server.
5. Process the HTTP request whole body if the body exists:
a. Apply file filtering, web content filtering, antivirus scanning, and DLP to the whole HTTP request.
6. Process the HTTP response headers:
a. Apply the web application profile (WAF) on the HTTP headers if necessary.
b. Apply the web proxy profile to the HTTP response headers.
c. Apply the ICAP profile to forward the HTTP response headers to the ICAP server.
d. Apply the IPS sensor and Application Control profiles to the HTTP response headers.
7. Process the HTTP response streaming data of the body if the body exists:
a. Apply the web application profile (WAF) on the HTTP response body if necessary.
b. Apply the stream-based file filtering, web content filtering, and antivirus scanning.
c. Apply the IPS sensor and Application Control profiles to the HTTP response body.
d. Apply the ICAP profile to forward the HTTP response body to the ICAP server.
8. Process the HTTP response whole body if the body exists:
a. Apply file filtering, web content filtering, antivirus scanning, and DLP to the whole HTTP response.

AntiVirus

An antivirus profile contains specific configuration information that defines how the traffic within a policy is examined and
what action can be taken based on the examination. Multiple antivirus profiles can be created for different antivirus
scanning requirements. These profiles can then be applied to firewall policies.
To view available antivirus profiles, go to Security Profiles > AntiVirus.

FortiProxy 7.0 Administration Guide 223

Fortinet Inc.
 Security Profiles

Hover over the leftmost edge of the column heading to display the Configure Table icon, which you can use to select the
columns to display or to reset all the columns to their default settings. You can also drag column headings to change
their order.
The following options are available:

Create New Create an antivirus profile. See Create or edit an antivirus profile on page 224.

Edit Modify the selected antivirus profile. See Create or edit an antivirus profile on
page 224.

Clone Make a copy of the selected antivirus profile.

Delete Remove the selected antivirus profile.

Search Enter a search term to find in the list.

Name The name of the antivirus profile.

Comments An optional description of the antivirus profile.

Ref. Displays the number of times the object is referenced to other objects.
To view the location of the referenced object, select the number in Ref.; the Object
Usage window opens and displays the various locations of the referenced object.

Create or edit an antivirus profile

Click Create New to open the Create AntiVirus Profile window.

FortiProxy 7.0 Administration Guide 224

Fortinet Inc.
Security Profiles

Select an antivirus profile and then click Edit to open the Edit AntiVirus Profile window.
Configure the following settings in the Create AntiVirus Profile window and then click OK:

Name Enter the name of the antivirus profile.

FortiProxy 7.0 Administration Guide 225

Fortinet Inc.
Security Profiles

Comments Optionally, enter a description of the profile.

Options For each protocol, enable or disable antivirus scanning, blocking, and monitoring.

Outbreak Prevention FortiGuard Virus Outbreak Protection Service (VOS) allows the FortiProxy
antivirus database to be subsidized with third-party malware hash signatures
curated by FortiGuard. The hash signatures are obtained from FortiGuard's
Global Threat Intelligence database. The antivirus database queries FortiGuard
with the hash of a scanned file. If FortiGuard returns a match, the scanned file is
deemed to be malicious. Enabling the AV engine scan is not required to use this
feature.

Scanning Files by FortiAI Not supported in 7.0.0.

Server

Content Disarm Content disarm and reconstruction (CDR) allows the FortiProxy unit to sanitize
Microsoft Office documents and PDF files (including those that are in ZIP
archives) by removing active content, such as hyperlinks, embedded media,
JavaScript, macros, and so on from the files (disarm) without affecting the
integrity of its textual content (reconstruction). It allows network administrators to
protect their users from malicious document files.
Files processed by CDR can be stored locally for quarantine on FortiAnalyzer,
FortiSandbox, or FortiProxy models with a hard disk. The original copies can also
be obtained in the event of a false positive.
CDR is supported on HTTP, SMTP, POP3, and IMAP. NOTE: SMTP splice and
client-comfort mode are not supported.

Archive Block For each protocol, select the file types to block.

Archive Log For each protocol, select the file types to log.

Send Files to FortiSandbox If you want files to be inspected by FortiSandbox Cloud, select Suspicious or
Cloud for Inspection everything.

Use FortiSandbox Database Enable this option to use the FortiSandbox database.

Include Mobile Malware Enable this option to protect mobile devices from malware.
Protection

API Preview The API Preview allows you to view all REST API requests being used by the
page. You can make changes on the page that are reflected in the API request
preview. This feature is not available if the user is logged in as an administrator
that has read-only GUI permissions.

To use the API Preview:

1. Click API Preview. The API Preview pane opens, and the values for the fields are visible (data). If a new object is
being created, the POST request is shown.
2. Enable Show modified changes only to show the modified changes instead of the full configuration in the preview.
3. Click Copy to Clipboard to copy the JSON code shown on the preview screen to the clipboard.
4. Click Close to leave the preview.

FortiProxy 7.0 Administration Guide 226

Fortinet Inc.
Security Profiles

Stream-based antivirus scan for FTP, SFTP, and SCP

Stream-based antivirus scanning is supported for FTP, SFTP, and SCP protocols.
l Stream-based antivirus scanning optimizes memory usage for large archive files by decompressing the files on the
fly and scanning the files as they are extracted.
l File types can be determined after scanning a few KB, without buffering the entire file.
l Viruses can be detected even if they are hiding in the middle or end of a large archive.
l When scanning smaller files, traffic throughput is improved by scanning the files directly on the proxy based WAD
daemon, without invoking scanunit.
Stream-based scanning is the default scan mode. To disable steam-based scanning, the scan mode can be set to
legacy mode, and the archive will only be scanned after the entire file has been received.

To configure stream-based scan:

config antivirus profile

edit <string>
...
set scan-mode {default* | legacy}
...
next
end

Configuring threat feed and outbreak prevention without AV engine scan

In the CLI, users can enable malware threat feeds and outbreak prevention without performing an antivirus scan. In the
GUI and CLI, users can choose to use all malware thread feeds, or specify the ones that they want to use. Replacement
messages have been updated for external block lists.
config antivirus profile
edit <name>
config http
set av-scan {disable | block | monitor}
set outbreak-prevention {disable | block | monitor}
set external-blocklist {disable | block | monitor}
set quarantine {enable | disable}
end
...
set outbreak-prevention-archive-scan {enable | disable}
set external-blocklist-enable-all {enable | disable}
set external-blocklist <source>
next
end

To configure malware threat feeds and outbreak prevention without performing an AV scan in the CLI:

config antivirus profile

edit "Demo"
set mobile-malware-db enable
config http
set av-scan disable
set outbreak-prevention block
set external-blocklist block

FortiProxy 7.0 Administration Guide 227

Fortinet Inc.
Security Profiles

set quarantine enable

set emulator enable
set content-disarm disable
end
config ftp
set av-scan disable
set outbreak-prevention block
set external-blocklist block
set quarantine enable
set emulator enable
end
config imap
set av-scan monitor
set outbreak-prevention block
set external-blocklist block
set quarantine enable
set emulator enable
set executables default
set content-disarm disable
end
config pop3
set av-scan monitor
set outbreak-prevention block
set external-blocklist block
set quarantine enable
set emulator enable
set executables default
set content-disarm disable
end
config smtp
set av-scan monitor
set outbreak-prevention block
set external-blocklist block
set quarantine enable
set emulator enable
set executables default
set content-disarm disable
end
config mapi
set av-scan monitor
set outbreak-prevention block
set external-blocklist block
set quarantine enable
set emulator enable
set executables default
end
config nntp
set av-scan disable
set outbreak-prevention disable
set external-blocklist disable
set quarantine disable
set emulator enable
end
config cifs
set av-scan monitor
set outbreak-prevention block

FortiProxy 7.0 Administration Guide 228

Fortinet Inc.
Security Profiles

set external-blocklist block

set quarantine enable
set emulator enable
end
config ssh
set av-scan disable
set outbreak-prevention disable
set external-blocklist disable
set quarantine disable
set emulator enable
end
set outbreak-prevention-archive-scan enable
set external-blocklist-enable-all disable
set external-blocklist "malhash1"
set av-virus-log enable
set av-block-log enable
set extended-log disable
set scan-mode default
next
end

In this example, configuring the quarantine setting is done in each protocol (set quarantine). The malware threat
feed is also specified (set external-blocklist-enable-all disable) to the threat connector, malhash1 (set
external-blocklist "malhash1").

Content disarm and reconstruction for antivirus

Content disarm and reconstruction (CDR) allows the FortiProxy to sanitize Microsoft Office documents and PDF files
(including those that are in ZIP archives) by removing active content, such as hyperlinks, embedded media, JavaScript,
macros, and so on from the files (disarm) without affecting the integrity of its textual content (reconstruction). It allows
network administrators to protect their users from malicious document files.
Files processed by CDR can be stored locally for quarantine on FortiAnalyzer, FortiSandbox, or FortiProxy models with a
hard disk. The original copies can also be obtained in the event of a false positive.
CDR is supported on HTTP, SMTP, POP3, and IMAP. NOTE: SMTP splice and client-comfort mode are not supported.

Support and limitations

l CDR can only be performed on Microsoft Office documents and PDF files.
l Local Disk CDR quarantine is only possible on FortiProxy models that contain a hard disk.
l CDR is only supported on HTTP, SMTP, POP3, IMAP.
l SMTP splice and client-comfort mode is not supported.

l CDR can only work on files in .ZIP type archives.

Configuring the feature

To configure antivirus to work with CDR, you must enable CDR on your antivirus profile, set the quarantine location, and
then fine tune the CDR detection parameters.

FortiProxy 7.0 Administration Guide 229

Fortinet Inc.
Security Profiles

To configure CDR:

1. Go to Security Profiles > AntiVirus.

2. Edit an antivirus profile or create a new one.
3. Under Content Disarm, enable the options that you want.
4. Select a quarantine location from the available options:
l FortiSandbox—Saves the original document file to a connected FortiSandbox.
l File Quarantine—Saves the original document file to disk (if possible) or a connected FortiAnalyzer based on
the FortiProxy log settings (config log fortianalyzer setting).
l Discard—The default setting, which discards the original document file.
5. Select the action that is taken when an error occurs:
l Block—Block file when there is a CDR error.

l Log Only—Log the CDR error but allow the file to pass.

l Ignore—When there is a CDR error, let the file pass but do not log the error.

6. Click OK.

To edit the CDR detection parameters:

By default, stripping of all active Microsoft Office and PDF content types are enabled. In this example, stripping macros
in Microsoft Office documents is disabled.
config antivirus profile
edit <antivirus_profile_name>
config content-disarm
set office-macro disable
set detect-only {enable | disable}
set cover-page {enable | disable}
set error-action {block | log-only | ignore}
end
next
end

Where:

detect-only Only detect disarmable files, do not alter content. Disabled by default.

cover-page Attach a cover page to the fileʼs content when the file has been processed by
CDR. Enabled by default.

Web Filter

This section describes how to configure web filters for HTTP traffic and configure URL filters to allow or block caching of
specific URLs.
After you configure a web filter profile, you can apply it to a policy. A profile is specific information that defines how the
traffic within a policy is examined and what action can be taken based on the examination.
To view available web filter profiles, go to Security Profiles > Web Filter.

FortiProxy 7.0 Administration Guide 230

Fortinet Inc.
 Security Profiles

Hover over the leftmost edge of the column heading to display the Configure Table icon, which you can use to select the
columns to display or to reset all the columns to their default settings. You can also drag column headings to change
their order.
The following options are available:

Create New Create a web filter profile. See Create or edit a web filter profile on page 231.

Edit Modify the selected web filter profile. See Create or edit a web filter profile on
page 231.

Clone Make a copy of the selected web filter profile.

Delete Remove the selected web filter profile.

Search Enter a search term to find in the web filter profile list.

Name The name of the web filter profile.

Comments An optional description of the web filter profile.

Ref. Displays the number of times the object is referenced to other objects.
To view the location of the referenced object, select the number in Ref.; the Object
Usage window opens and displays the various locations of the referenced object.

Create or edit a web filter profile

Click Create New to open the Create Web Filter Profile window.

FortiProxy 7.0 Administration Guide 231

Fortinet Inc.
Security Profiles

FortiProxy 7.0 Administration Guide 232

Fortinet Inc.
Security Profiles

Select a web filter profile and then click Edit to open the Edit Web Filter Profile window.
Configure the following settings in the Create Web Filter Profile window and then click OK:

Name The name of the web filter profile.

Comments Optional description of the web filter profile.

Log all URLs Enable if you want all URLs to be logged.

FortiGuard category based filter Enable to use FortiGuard categories. If the device is not
licensed for the FortiGuard web-filtering service, traffic can be
blocked by enabling this option.

Allow/Monitor/Block/Warning/Authentication Select the action for each FortiGuard category: Allow, Monitor,
Block, Warning, or Authenticate. You can enter a category to
search for.

Allow users to override blocked categories Enable this option if you want users to be able to override
blocked categories.

Groups that can override Select the user groups that will be able to override blocked
categories.
This option is available only if Allow users to override blocked
categories is enabled.

Profile Name Select which web filter profile to change blocked categories to.
This option is available only if Allow users to override blocked
categories is enabled.

Switch applies to Select whether the new web filter profile applies to a User, User
Groups, or IP or whether to Ask. The user or user groups must
be specified as the Source in firewall policies using this profile.
This option is available only if Allow users to override blocked
categories is enabled.

Switch Duration Select whether blocked categories can be overridden for a

predefined period or to Ask.
This option is available only if Allow users to override blocked
categories is enabled.

day(s)/hour(s)/minute(s) Select how long users can override blocked categories.

This option is available only if Allow users to override blocked
categories is enabled and the Switch Duration is set to
Predefined.

Static URL Filter

Block invalid URLs Enable to block web sites when their SSL certificate CN field
does not contain a valid domain name.

URL Filter Enable and then create or edit a URL filter. See Create or edit a
URL filter on page 237.

FortiProxy 7.0 Administration Guide 233

Fortinet Inc.
Security Profiles

Block malicious URLs discovered by Enable to block malicious URLs discovered by FortiSandbox.
FortiSandbox

Content Filter Enable and then create or edit a content filter to block access to
web pages that include the specified patterns. See Create or
edit a content filter on page 238.

Rating Options

Allow websites when a rating error occurs Enable to allow access to web pages that return a rating error
from the web filter service.
If your unit is temporarily unable to contact the FortiGuard
service, this setting determines what access the unit allows until
contact is re-established. If enabled, users will have full
unfiltered access to all web sites. If disabled, users will not be
allowed access to any web sites.

Rate URLs by domain and IP Address Enable to have the unit request site ratings by URL and IP
address separately, providing additional security against
attempts to bypass the FortiGuard Web Filter.
FortiGuard Web Filter ratings for IP addresses are not updated
as quickly as ratings for URLs. This difference can sometimes
cause the unit to allow access to sites that should be blocked or
to block sites that should be allowed.

Proxy Options

HTTP POST Action Select whether to Allow or Block HTTP POST traffic. HTTP
POST is the command used by your browser when you send
information, such as a form you have filled-out or a file you are
uploading, to a web server.

Remove Cookies Enable to filter cookies from web traffic. Web sites using cookies
might not function properly with this enabled.

API Preview The API Preview allows you to view all REST API requests
being used by the page. You can make changes on the page
that are reflected in the API request preview. This feature is not
available if the user is logged in as an administrator that has
read-only GUI permissions.

To use the API Preview:

1. Click API Preview. The API Preview pane opens, and the values for the fields are visible (data). If a new object is
being created, the POST request is shown.
2. Enable Show modified changes only to show the modified changes instead of the full configuration in the preview.
3. Click Copy to Clipboard to copy the JSON code shown on the preview screen to the clipboard.
4. Click Close to leave the preview.

FortiProxy 7.0 Administration Guide 234

Fortinet Inc.
Security Profiles

Using FortiGuard web filter categories to block child sexual abuse and terrorism

Starting in FortiProxy 7.0.0, web filter categories 83 (Child Sexual Abuse, formerly Child Abuse) and 96 (Terrorism) can
be used to enforce blocking and logging the Internet Watch Foundation (IWF) and Counter-Terrorism Internet Referral
Unit (CTIRU) lists, respectively.

To create a web filter profile to block the Child Sexual Abuse and Terrorism categories in the GUI:

1. Go to Security Profiles > Web Filter and click Create New.

2. Enter a name for the new filter.
3. Enable FortiGuard Category Based Filter.
4. In the category table, in the Potentially Liable section, set the Action for the Child Sexual Abuse and Terrorism
categories to Block.
5. Configure the remaining settings as required.
6. Click OK.

To create a web filter profile to block category 83 (Child Sexual Abuse) in the CLI:

config webfilter profile

edit newfilter
config ftgd-wf
unset options
config filters
...
edit 83
set category 83
set action block
next
...
end
end
next
end

To test the web filter:

1. Use the web filter profile in a policy.

2. On a device that is connected through the FortiProxy unit and that uses the policy, visit the test URLs for each
category:
http://wfurltest.fortiguard.com/wftest/83.html
http://wfurltest.fortiguard.com/wftest/96.html
3. Log in to the FortiProxy unit and go to Log & Report > Web filter to view the logs for the blocked websites.

Configuring user-name-only credential matching

To configure user-name-only credential matching:

config webfilter profile

edit "webfilter"
config ftgd-wf

FortiProxy 7.0 Administration Guide 235

Fortinet Inc.
Security Profiles

unset options
...
end
config antiphish
set status enable
set check-username-only enable
config inspection-entries
edit "cat34"
set fortiguard-category 34
set action block
next
end
set domain-controller "win2016"
end
set log-all-url enable
next
end

Configuring different custom pattern types for user names and passwords

To configure different custom pattern types for user names and passwords:

config webfilter profile

edit "webfilter"
config ftgd-wf
unset options
...
end
config antiphish
set status enable
config inspection-entries
edit "cat34"
set fortiguard-category 34
set action block
next
end
config custom-patterns
edit "qwer"
set type literal
next
edit "[0-6]Dat*"
next
edit "dauw9"
set category password
set type literal
next
edit "[0-5]foo[1-4]"
set category password
next
end
set domain-controller "win2016"
end
set log-all-url enable
next
end

FortiProxy 7.0 Administration Guide 236

Fortinet Inc.
 Security Profiles

In this example, the qwer and dauw9 entries use the literal type, while [0-6]Dat* and [0-5]foo[1-4] use the
default regex type.

Create or edit a URL filter

You can allow or block access to specific web sites by adding them to the URL filter list. You add the web sites by using
patterns containing text and regular expressions. The FortiProxy unit allows or blocks web pages matching any specified
URLs or patterns and displays a replacement message instead.

Web site blocking does not block access to other services that users can access with a web
browser. For example, web site blocking does not block access to ftp://ftp.example.com.
Instead, use firewall policies to deny ftp connections.

When adding a URL to the web site filter list, follow these rules:
l Type a top-level URL or IP address to control access to all pages on a web site. For example, www.example.com or
192.168.144.155 controls access to all pages at these web sites.
l Enter a top-level URL followed by the path and file name to control access to a single page on a web site. For
example, www.example.com/monkey.html or 192.168.144.155/monkey.html controls access to the monkey page
on this web site.
l To control access to all pages with a URL that ends with example.com, add example.com to the filter list. For
example, adding example.com controls access to www.example.com, mail.example.com,
www.finance.example.com, and so on.
l Control access to all URLs that match patterns using text and regular expressions (or wildcard characters). For
example, example.* matches example.com, example.org, example.net and so on.

URLs with an action set to exempt or pass are not scanned for viruses. If users on the network
download files through the FortiProxy unit from a trusted web site, add the URL of this web site
to the URL filter list with an action to pass it, so the unit does not scan files downloaded from
this URL.

To create a URL filter:

1. Go to Security Profiles > Web Filter.

2. Click Create New or select a web filter profile and then click Edit.
3. Enable URL Filter.
4. In the URL Filter table, click Create New. The New URL Filter window opens.
5. Enter the URL to filter in the URL field. Enter a top-level domain suffix (for example, “com” without the leading
period) to block access to all web sites with this suffix.
6. Select the type of pattern to match: Simple, Reg. Expression, or Wildcard.

FortiProxy 7.0 Administration Guide 237

Fortinet Inc.
 Security Profiles

7. Select the action to take when the pattern is matched:

l Exempt: Allow trusted traffic to bypass the antivirus proxy operations.
l Block: Block access to any URLs matching the URL pattern and display a replacement message.
SeeReplacement Messages on page 430.
l Allow: Allow access to any URL that matches the URL pattern.
l Monitor: Monitor traffic to and from URLs matching the URL pattern.
8. Enable or disable the status of the filter to make the filter active or inactive.
9. Enter the referrer host name.
10. Click OK to save the URL filter.
11. Click OK to save the changes to the web filter profile.

To edit a URL filter:

1. Go to Security Profiles > Web Filter.

2. Click Create New or select a web filter profile and then click Edit.
3. In the URL Filter table, double-click on a filter or select the filter and then click Edit in the toolbar.
4. Edit the filter settings as required.
5. Click OK to save your changes to the URL filter.
6. Click OK to save the changes to the web filter profile.

Create or edit a content filter

Content filters can be added or edited, as required.

To create a web content filter:

1. Go to Security Profiles > Web Filter.

2. Click Create New or select a web filter profile and then click Edit.
3. In the Static URL Filter section, enable Content Filter.
4. Select Create New.
5. Select the Pattern Type, either Wildcard or Regular Expression.
6. Enter the content Pattern to match.
7. Select the Language from the drop-down menu.
8. Select Block or Exempt.
9. Enable the Status.
10. Click OK.

To edit a web content filter:

1. Go to Security Profiles > Web Filter.

2. Click Create New or select a web filter profile and then click Edit.
3. In the Static URL Filter section, enable Content Filter.
4. Select the content filter you want to edit and then click Edit from the toolbar. The Edit Web Content Filter window
opens.
5. Edit the information as required and then click OK to apply your changes.

FortiProxy 7.0 Administration Guide 238

Fortinet Inc.
 Security Profiles

Video Filter

With the video filter profile, you can filter YouTube videos by channel ID for a more granular override of a single channel,
user, or video. The video filter profile is currently supported in proxy-based policies and requires SSL deep inspection.
To view available video filter profiles, go to Security Profiles > Video Filter.

Hover over the leftmost edge of the column heading to display the Configure Table icon, which you can use to select the
columns to display or to reset all the columns to their default settings. You can also drag column headings to change
their order.
The following options are available:

Create New Create a video filter profile. See Create or edit a video filter profile on page 239.

Edit Modify the selected video filter profile. See Create or edit a video filter profile on
page 239.

Clone Make a copy of the selected video filter profile.

Delete Remove the selected video filter profile.

Search Enter a search term to find in the video filter profile list.

Name The name of the video filter profile.

Comments An optional description of the video filter profile.

Ref. Displays the number of times the object is referenced to other objects.
To view the location of the referenced object, select the number in Ref.; the Object
Usage window opens and displays the various locations of the referenced object.

Create or edit a video filter profile

Click Create New to open the New Video Filter Profile window.

FortiProxy 7.0 Administration Guide 239

Fortinet Inc.
Security Profiles

Select a video filter profile and then click Edit to open the Edit Video Filter Profile window.
Configure the following settings in the New Video Filter Profile window and then click OK:

Name The name of the video filter profile.

Comments Optional description of thevideo filter profile.

FortiProxy 7.0 Administration Guide 240

Fortinet Inc.
Security Profiles

FortiGuard category based Enable to use FortiGuard categories. If the device is not licensed for the
filter FortiGuard web-filtering service, traffic can be blocked by enabling this option.

Allow/Monitor/Block Select the action for each FortiGuard category: Allow, Monitor, or Block.

YouTube

Channel override list Create or edit a YouTube channel override list. See Create or edit a channel
override entry on page 242.

API Preview The API Preview allows you to view all REST API requests being used by the
page. You can make changes on the page that are reflected in the API request
preview. This feature is not available if the user is logged in as an administrator
that has read-only GUI permissions.

To use the API Preview:

1. Click API Preview. The API Preview pane opens, and the values for the fields are visible (data). If a new object is
being created, the POST request is shown.
2. Enable Show modified changes only to show the modified changes instead of the full configuration in the preview.
3. Click Copy to Clipboard to copy the JSON code shown on the preview screen to the clipboard.
4. Click Close to leave the preview.

To configure a video filter in the GUI:

config videofilter youtube-channel-filter

edit <identifier>
set name <string>
config entries
edit <identifier>
set action{allow | monitor | block}
set channel-id <string>
next
end
next
end

For example:
config videofilter youtube-channel-filter
edit 1
set name "channel_filter"
config entries
edit 1
set action block
set channel-id "UCJHo4AuVomwMRzgkA5DQEOA"
next
end
next
end

FortiProxy 7.0 Administration Guide 241

Fortinet Inc.
 Security Profiles

Create or edit a channel override entry

You can override the video filter with channel override entries.

To create a channel override entry:

1. Go to Security Profiles > Video Filter.

2. Click Create New or select a video filter profile and then click Edit.
3. Click Create New. The New Channel override Entry window opens.
4. Enter the YouTube channel ID.
5. Enter a description of the YouTube channel.
6. Select the action to take when the pattern is matched:
l Allow: Allow access to the YouTube channel.
l Monitor: Monitor traffic to and from the YouTube channel.
l Block: Block access to the YouTube channel and display a replacement message. SeeReplacement
Messages on page 430.
7. Click OK to save the channel override entry.
8. Click OK to save the changes to the video filter profile.

To edit a channel override entry:

1. Go to Security Profiles > Video Filter.

2. Click Create New or select a video filter profile and then click Edit.
3. Select a channel override entry and then click Edit.
4. Edit the entry settings as required.
5. Click OK to save your changes to the channel override entry.
6. Click OK to save the changes to the video filter profile.

DNS Filter

You can configure DNS filtering to allow, block, or monitor access to web content according to FortiGuard categories.
When DNS filtering is enabled, your FortiProxy unit must use the FortiGuard DNS service for DNS lookups. DNS lookup
requests sent to the FortiGuard DNS service return with an IP address and a domain rating that includes the FortiGuard
category of the web page.
If that FortiGuard category is set to block, the result of the DNS lookup is not returned to the requester. If the category is
set to redirect, then the address returned to the requester points at a FortiGuard redirect page.
You can also allow or monitor access based on the FortiGuard category.
To view available DNS filter profiles, go to Security Profiles > DNS Filter.

FortiProxy 7.0 Administration Guide 242

Fortinet Inc.
 Security Profiles

Hover over the leftmost edge of the column heading to display the Configure Table icon, which you can use to select the
columns to display or to reset all the columns to their default settings. You can also drag column headings to change
their order.
The following options are available:

Create New Create a DNS filter profile. See Create or edit a DNS filter profile on page 243.

Edit Modify the selected DNS filter profile. See Create or edit a DNS filter profile on
page 243.

Clone Make a copy of the selected DNS filter profile.

Delete Remove the selected DNS filter profile.

Search Enter a search term to find in the DNS filter list.

Name The name of the DNS filter profile.

Comments An optional description of the DNS filter profile.

Ref. Displays the number of times the object is referenced to other objects.
To view the location of the referenced object, select the number in Ref.; the Object
Usage window opens and displays the various locations of the referenced object.

Create or edit a DNS filter profile

Click Create New to open the New DNS Filter Profile window.

FortiProxy 7.0 Administration Guide 243

Fortinet Inc.
Security Profiles

FortiProxy 7.0 Administration Guide 244

Fortinet Inc.
Security Profiles

Configure the following settings and then click OK:

Name The name of the DNS filter profile.

Comments Optional description of the DNS filter profile.

Redirect botnet C&C requests FortiGuard Service continually updates the botnet C&C domain list. The botnet
to Block Portal C&C domain blocking feature can block the botnet website access at the DNS
name resolving stage. This provides additional protection for your network.

Enforce 'Safe search' on The DNS safe search option helps avoid explicit and inappropriate results in the
Google, Bing, YouTube Google, Bing, and YouTube search engines. The FortiProxy responds with
content filtered by the search engine.

Restrict YouTube Access Select the Strict or Moderate level of restriction for YouTube access.
This option is available only if Enforce 'Safe search' on Google, Bing, YouTube is
enabled.

FortiGuard category based Enable if you want to use FortiGuard categories. If the device is not licensed for
filter the FortiGuard web-filtering service, traffic can be blocked by enabling this option.

Allow/Monitor/Redirect to Select the action for each FortiGuard category: Allow, Monitor, or Redirect to
Block Portal Block Portal.

Static Domain Filter

Domain Filter Enable to create or edit domain filters. See Create or edit a domain filter on page
246.

External IP Block Lists Enable to create or select a list of external IP addresses to block. See External
Connectors on page 458.

DNS Translation This setting allows you to translate a DNS resolved IP address to another IP
address you specify on a per-policy basis. See Create or edit a DNS translation
entry on page 247.

Options

Redirect Portal IP If you want the FortiProxy unit to use the portal IP address to replace the resolved
IP address in the DNS response packet, select Use FortiGuard Default or Specify.
If you select Specify, enter the portal IP address.

Allow DNS requests when a Enable to allow access to domains that return a rating error from the web filter
rating error occurs service.
If your unit is temporarily unable to contact the FortiGuard service, this setting
determines what access the unit allows until contact is re-established. If enabled,
users will have full unfiltered access to all domains. If disabled, users will not be
allowed access to any domains.

Log all DNS queries and Enable if you want DNS queries and responses logged.
responses

API Preview The API Preview allows you to view all REST API requests being used by the
page. You can make changes on the page that are reflected in the API request
preview. This feature is not available if the user is logged in as an administrator
that has read-only GUI permissions.

FortiProxy 7.0 Administration Guide 245

Fortinet Inc.
 Security Profiles

To use the API Preview:

1. Click API Preview. The API Preview pane opens, and the values for the fields are visible (data). If a new object is
being created, the POST request is shown.
2. Enable Show modified changes only to show the modified changes instead of the full configuration in the preview.
3. Click Copy to Clipboard to copy the JSON code shown on the preview screen to the clipboard.
4. Click Close to leave the preview.

To edit a DNS filter profile:

1. Go to Security Profiles > DNS Filter.

2. Select the profile you want to edit and then click Edit from the toolbar or double-click on the profile name in the list.
The Edit DNS Filter Profile window opens.
3. Edit the information as required and then select OK to save your changes.

Create or edit a domain filter

The DNS static domain filter allows you to block, exempt, or monitor DNS requests by using IPS to look inside DNS
packets and match the domain being looked up with the domains on the static URL filter list. If there is a match the DNS
request can be blocked, exempted, monitored, or allowed.
If blocked, the DNS request is blocked and so the user cannot look up the address and connect to the site.
If exempted, access to the site is allowed even if another method is used to block it.

To create a domain filter:

1. Go to Security Profiles > DNS Filter.

2. Click Create New or select a DNS filter profile and then click Edit.
3. Enable Domain Filter.
4. In the Domain Filter table, select Create New. The Create Domain Filter window opens.
5. Enter the domain to filter in the Domain field. Enter a top-level domain suffix (for example, “com” without the leading
period) to block access to all web sites with this suffix.
6. Select the type of pattern to match: Simple, Reg. Expression, or Wildcard.
7. Select the action to take when the pattern is matched:
l Redirect to Block Portal: If a DNS query domain name rating belongs to the block category, the query is
blocked and redirected.
l Allow: Allow access to any domain that matches the domain pattern.
l Monitor: Monitor traffic to and from domains matching the domain pattern.
8. Enable or disable the status of the filter to make the filter active or inactive.
9. Click OK to save the domain filter.
10. Click OK to save the DNS filter profile.

To edit a domain filter:

1. Go to Security Profiles > DNS Filter.

2. Click Create New or select a DNS filter profile and then click Edit.

FortiProxy 7.0 Administration Guide 246

Fortinet Inc.
 Security Profiles

3. Enable Domain Filter.

4. In the Domain Filter table, double-click on a filter or select the filter and then click Edit in the toolbar.
5. Edit the filter settings as required.
6. Click OK to save your changes to the domain filter.
7. Click OK to save the DNS filter profile.

Create or edit a DNS translation entry

This setting allows you to translate a DNS resolved IP address to another IP address you specify on a per-policy basis.
For example, website A has a public address of 1.2.3.4. However, when your internal network users visit this website,
you want them to connect to the internal host 192.168.3.4. You can use DNS translation to translate the DNS resolved
address 1.2.3.4 to 192.168.3.4. Reverse use of DNS translation is also applicable. For example, if you want a public
DNS query of your internal server to get a public IP address, then you can translate a DNS resolved private IP to a public
IP address.

To create a DNS translation entry:

1. Go to Security Profiles > DNS Filter and enable DNS Translation.

2. In the DNS Translation table, select Create New. The New DNS Translation window opens.
3. Select the type of IP address to translate, either IPv4 or IPv6.
4. In the Original Destination field, enter the domain's original IP address.
5. In the Translation Destination field, enter the IP address that you want used instead of the original IP address.
6. Enter the network mask.
7. Enable or disable the status.
8. Click OK to save the DNS translation entry.
9. Click OK to save the DNS filter profile.

To edit a DNS translation entry:

1. Go to Security Profiles > DNS Filter and enable DNS Translation.

2. In the DNS Translation table, double-click on an entry or select an entry and then click Edit in the toolbar.
3. Edit the settings as required.
4. Click OK to save the DNS translation entry.
5. Click OK to save the DNS filter profile.

Application Control

Using the Application Control feature, your FortiProxy unit can detect and take action against network traffic depending
on the application generating the traffic. Based on FortiProxy Intrusion Protection protocol decoders, application control
is a user-friendly and powerful way to use Intrusion Protection features to log and manage the behavior of application
traffic passing through the FortiProxy unit. Application control uses IPS protocol decoders that can analyze network
traffic to detect application traffic even if the traffic uses nonstandard ports or protocols. Application control supports
detection for traffic using HTTP protocol (versions 1.0, 1.1, and 2.0).

FortiProxy 7.0 Administration Guide 247

Fortinet Inc.
 Security Profiles

The FortiProxy unit can recognize the network traffic generated by a large number of applications. You can create
application control sensors that specify the action to take with the traffic of the applications you need to manage and the
network on which they are active, and then add application control sensors to the firewall policies that control the network
traffic you need to monitor.
Fortinet is constantly adding to the list of applications detected through maintenance of the FortiGuard Application
Control Database. This database is part of the FortiGuard Intrusion Protection System Database because intrusion
protection protocol decoders are used for application control and both of these databases have the same version
number.
You can see the complete list of applications supported by FortiGuard Application Control on the FortiGuard site or
https://fortiguard.com/appcontrol. This web page lists all of the supported applications. You can select any application
name to see details about the application.
To view available application sensors, go to Security Profiles > Application Control.

Hover over the leftmost edge of the column heading to display the Configure Table icon, which you can use to select the
columns to display or to reset all the columns to their default settings. You can also drag column headings to change
their order.
The following options are available:

Create New Create an application sensor. See Create or edit an application sensor on page
248.

Edit Modify the selected application sensor. See Create or edit an application sensor
on page 248.

Clone Make a copy of the selected application sensor.

Delete Remove the selected application sensor.

Search Enter a search term to search the application sensor list.

Name The name of the application sensor.

Comments An optional description of the application sensor.

Ref. Displays the number of times the object is referenced to other objects.
To view the location of the referenced object, select the number in Ref.; the Object
Usage window opens and displays the various locations of the referenced object.

Create or edit an application sensor

To create an application sensor, click Create New.

FortiProxy 7.0 Administration Guide 248

Fortinet Inc.
Security Profiles

FortiProxy 7.0 Administration Guide 249

Fortinet Inc.
Security Profiles

Configure the following settings and then select OK:

Name The name of the application sensor.

Comments Optional description of the application sensor.

Categories Select an action for All Categories or for each category of applications:
l Monitor—This action allows the targeted traffic to continue on through the

FortiProxy unit but logs the traffic for analysis.

l Allow—This action allows the targeted traffic to continue on through the
FortiProxy unit.
l Block—This action prevents all traffic from reaching the application and logs
all occurrences.
l Quarantine—This action allows you to quarantine or block access to an
application for a specified duration that can be entered in days, hours, and
minutes. The default is 5 minutes.
You can also select View Signatures or View Cloud Signatures to see a list of
signatures for some categories.

Network Protocol Enable and configure network services on certain ports and determine the
Enforcement violation action. SeeCreate or edit a default network service on page 251.
Protocol enforcement allows you to configure networking services (for example,
FTP, HTTP, and HTTPS) on known ports (for example, 21, 80, or 43). For
protocols that have not been added to the allowlist for certain ports, the IPS
engine performs the violation action to block, allow, or monitor that traffic.

Application and Filter Application overrides allow you to choose individual applications. To add an
Overrides application override, see Add or edit an application override on page 252.
Filter overrides can be added based on behavior, application category, popularity,
protocol, risk, technology, or vendor subtypes. To add a filter override, see Add or
edit a filter override on page 252.

Allow and Log DNS Traffic Enable to allow DNS traffic.

Block applications detected For monitor and allow actions, applications are blocked if they are detected on
on non-default ports nondefault ports (as defined in FortiGuard application signatures).
Block actions still block all traffic for the application, regardless of port.

QUIC Select Allow if you want the FortiProxy unit to inspect Google Chrome packets for
a QUIC header. Select Block to force Google Chrome to use HTTP2/TLS 1.2.

Replacement Messages for Enable to display replacement messages for HTTP-based applications.
HTTP-based Applications

View Application Signatures Select to see a list of predefined application signatures. To create an application
signature, see Create or edit an application signature on page 276.

API Preview The API Preview allows you to view all REST API requests being used by the
page. You can make changes on the page that are reflected in the API request
preview. This feature is not available if the user is logged in as an administrator
that has read-only GUI permissions.

FortiProxy 7.0 Administration Guide 250

Fortinet Inc.
 Security Profiles

To use the API Preview:

1. Click API Preview. The API Preview pane opens, and the values for the fields are visible (data). If a new object is
being created, the POST request is shown.
2. Enable Show modified changes only to show the modified changes instead of the full configuration in the preview.
3. Click Copy to Clipboard to copy the JSON code shown on the preview screen to the clipboard.
4. Click Close to leave the preview.

To edit an application sensor:

1. From the application sensor list, select the sensor that you need to edit and then click Edit from the toolbar or
double-click on the sensor name in the list. The Edit Application Sensor window opens.
2. Edit the information as required and then select OK to save your changes.

Create or edit a default network service

Protocol enforcement allows you to configure networking services (e.g. FTP, HTTP, HTTPS) on known ports (e.g. 21,
80, 443). For protocols that are not allowlisted under select ports, the IPS engine performs the violation action to block,
allow, or monitor that traffic.
This feature can be used in the following scenarios:
l When one protocol dissector confirms the service of network traffic, protocol enforcement can check whether the
confirmed service is allowlisted under the server port. If it is not allowlisted, the traffic is considered a violation and
IPS can take the action specified in the configuration (block or monitor it).
l When there is no confirmed service for the network traffic, the traffic is considered a service violation if IPS
dissectors rule out all of the services enforced under its server port.
In an applicable profile, a default-network-service list can be created to associate well known ports with accepted
services.
Default network services can be added or edited, as required.

To create a default network service:

1. Go to Security Profiles > Application Control.

2. Click Create New or select an application sensor and then click Edit.
3. Enable Network Protocol Enforcement.
4. In the Network Protocol Enforcement section, select Create New.
5. Enter a port number.
6. Enter one or more protocols to allow on the specified port.
7. Select to block or monitor protocols that are not specified in the Enforce protocols field.
8. Click OK.

To edit a default network service:

1. Go to Security Profiles > Application Control.

2. Click Create New or select an application sensor and then click Edit.
3. Enable Network Protocol Enforcement.

FortiProxy 7.0 Administration Guide 251

Fortinet Inc.
 Security Profiles

4. Select the default network service that you want to edit and then click Edit from the toolbar. The Edit Default
Network Service window opens.
5. Edit the information as required and then click OK to apply your changes.

Add or edit an application override

Application overrides can be added or edited as required.

To add predefined signatures:

1. Go to Security Profiles > Application Control.

2. Click Create New or select an application sensor and then click Edit.
3. In the Application and Filter Overrides section, click Create New.
4. Select Application for the override type.
5. Select the action to take: Monitor, Allow, Block, or Quarantine.
6. Use the search field to narrow down the list of possible signatures by a series of attributes.
7. Click OK.

To edit a predefined signature:

1. Go to Security Profiles > Application Control.

2. Click Create New or select an application sensor and then click Edit.
3. In the Application and Filter Overrides section, select the application override to edit and then click Edit from the
toolbar.
4. Edit the information as required and then click OK to apply your changes.

Add or edit a filter override

Filters overrides can be added or edited as required.

To create a filter override:

1. Go to Security Profiles > Application Control.

2. Click Create New or select an application sensor and then click Edit.
3. In the Application and Filter Overrides section, click Create New.
4. Select Filter for the override type.
5. Select the action to take: Monitor, Allow, Block, or Quarantine.
6. Use the search field to narrow down the list of possible filters by a series of attributes.
7. Click OK.

To edit a filter override:

1. Go to Security Profiles > Application Control.

2. Click Create New or select an application sensor and then click Edit.
3. In the Application and Filter Overrides section, select the filter override to edit and then click Edit from the toolbar.
4. Edit the information as required and then click OK to apply your changes.

FortiProxy 7.0 Administration Guide 252

Fortinet Inc.
 Security Profiles

Intrusion Prevention

The Intrusion Prevention System (IPS) combines signature detection and prevention with low latency and excellent
reliability. With intrusion protection, you can create multiple IPS sensors, each containing a complete configuration
based on signatures. Then, you can apply any IPS sensor to any security policy.
This section describes how to configure the Intrusion Prevention settings.
To view available IPS sensors, go to Security Profiles > Intrusion Prevention.

Hover over the leftmost edge of the column heading to display the Configure Table icon, which you can use to select the
columns to display or to reset all the columns to their default settings. You can also drag column headings to change
their order.
The following options are available:

Create New Create an IPS sensor. See Create or edit an IPS sensor on page 253.

Edit Modify the selected IPS sensor. See Create or edit an IPS sensor on page 253.

Clone Make a copy of the selected IPS sensor.

Delete Remove the selected IPS sensor.

Search Enter a search term to find in the IPS sensor list.

Name The name of the IPS sensor.

Comments An optional description of the IPS sensor.

Ref. Displays the number of times the object is referenced to other objects.
To view the location of the referenced object, select the number in Ref.; the Object
Usage window opens and displays the various locations of the referenced object.

Create or edit an IPS sensor

The Intrusion Prevention System (IPS) combines signature detection and prevention with low latency and excellent
reliability. With intrusion protection, you can create multiple IPS sensors, each containing a complete configuration
based on signatures. Then, you can apply any IPS sensor to any security policy.
IPS sensors can be added, edited, cloned, and deleted as required.
To create an IPS sensor, go to Security Profiles > Intrusion Prevention and click Create New.

FortiProxy 7.0 Administration Guide 253

Fortinet Inc.
Security Profiles

Configure the following settings and then select OK to save your changes:

Name The name of the IPS sensor.

Comments Optional description of the IPS sensor.

Block malicious URLs Enable this setting to block malicious URLs that FortiSandbox finds. Your
FortiProxy unit must be connected to a registered FortiSandbox.

IPS Signatures and Filters Add or edit an IPS signature or filter. See Add or edit an IPS signature or
filter on page 255.
While individual signatures can be added to a sensor, a filter allows you to
add multiple signatures to a sensor by specifying the characteristics of the
signatures to be added.

Scan Outgoing Connections to Select Block or Monitor to enable botnet blocking across all traffic that
Botnet Sites matches the policy.

View IPS Signatures Select to see a list of predefined IPS signatures. To create an IPS
signature, see Create or edit an IPS signature on page 280.

API Preview The API Preview allows you to view all REST API requests being used by
the page. You can make changes on the page that are reflected in the API
request preview. This feature is not available if the user is logged in as an
administrator that has read-only GUI permissions.

FortiProxy 7.0 Administration Guide 254

Fortinet Inc.
 Security Profiles

To use the API Preview:

1. Click API Preview. The API Preview pane opens, and the values for the fields are visible (data). If a new object is
being created, the POST request is shown.
2. Enable Show modified changes only to show the modified changes instead of the full configuration in the preview.
3. Click Copy to Clipboard to copy the JSON code shown on the preview screen to the clipboard.
4. Click Close to leave the preview.

To edit an IPS sensor:

1. From the IPS sensor list, select the sensor that you need to edit and then click Edit from the toolbar or double-click
on the sensor name in the list. The Edit IPS Sensor window opens.
2. Edit the information as required and then select OK to save your changes.

Add or edit an IPS signature or filter

You can add or edit IPS signatures and filters.

To create a filter:

1. Go to Security Profiles > Intrusion Prevention.

2. In the IPS Signatures and Filters section, select Create New.
3. In the Add Signatures window, select Filter.
4. For the action, select Allow, Monitor, Block, Reset, Default, or Quarantine.
5. Enable or disable packet logging.
6. Enable the status to make the filter active.
7. Use the Filter field to select filters.
8. Use the search field to narrow down the list of possible signatures by a series of attributes.
9. Click OK.

To create a signature:

1.Go to Security Profiles > Intrusion Prevention.

2.In the IPS Signatures and Filters section, select Create New.
3.In the Add Signatures window, select Signature.
4.For the action, select Allow, Monitor, Block, Reset, Default, or Quarantine.
5.Enable or disable packet logging.
6.Enable the status to make the filter active.
7.Select Default or Specify for the rate-based settings. If you select Specify, enter the number of incidents per minute
in the Threshold field, enter the number of seconds after which the block will be removed in the Duration (seconds)
field, and select whether the rate-based settings use the source IP address, the destination IP address, or any IP
address.
8. If you want to exempt certain IP addresses from the signature, click Edit IP Exemptions and add the source IP
address and netmask and the destination IP address and netmask.
9. Use the search field to narrow down the list of possible signatures by a series of attributes.
10. Click OK.

FortiProxy 7.0 Administration Guide 255

Fortinet Inc.
 Security Profiles

To edit a filter or signature:

1. Go to Security Profiles > Intrusion Prevention.

2. In the IPS Filters section, select the filter or signature that you want to edit and then click Edit from the toolbar.
3. Edit the information as required and then select OK to apply your changes.

File Filter

The file filter allows the FortiProxy unit to block files passing through based on file type based on the file's metadata only
and not on file size or file content. A DLP sensor must be configured to block files based on size or content, such as SSN
numbers, credit card numbers, or regular expression pattern. The file filter can be applied directly to firewall policies.
To view available file filter profiles, go to Security Profiles > File Filter.

Hover over the leftmost edge of the column heading to display the Configure Table icon, which you can use to select the
columns to display or to reset all the columns to their default settings. You can also drag column headings to change
their order.
The following options are available:

Create New Create a file filter profile. See Create or edit a file filter profile on page 256.

Edit Modify the selected file filter profile. See Create or edit a file filter profile on page
256.

Clone Make a copy of the selected file filter profile.

Delete Remove the selected file filter profile.

Search Enter a search term to find in the file filter profile list.

Name The name of the file filter profile.

Comments An optional description of the file filter profile.

Ref. Displays the number of times the object is referenced to other objects.
To view the location of the referenced object, select the number in Ref.; the Object
Usage window opens and displays the various locations of the referenced object.

Scan Archive Contents Whether the scanning of archive contents has been enabled or disabled.

Create or edit a file filter profile

Click Create New to open the New File Filter Profile window.

FortiProxy 7.0 Administration Guide 256

Fortinet Inc.
Security Profiles

Select a file filter profile and then click Edit to open the Edit File Filter Profile window.
Configure the following settings in the New File Filter Profile window and then click OK:

Name The name of the file filter profile.

Comments Optional description of the file filter profile.

Scan archive contents Enable if you want the archive contents to be scanned.

Rules Create or edit file filter rules. See Create or edit a file filter rule on page 258.

API Preview The API Preview allows you to view all REST API requests being used by the
page. You can make changes on the page that are reflected in the API request
preview. This feature is not available if the user is logged in as an administrator
that has read-only GUI permissions.

To use the API Preview:

1. Click API Preview. The API Preview pane opens, and the values for the fields are visible (data). If a new object is
being created, the POST request is shown.
2. Enable Show modified changes only to show the modified changes instead of the full configuration in the preview.
3. Click Copy to Clipboard to copy the JSON code shown on the preview screen to the clipboard.
4. Click Close to leave the preview.

FortiProxy 7.0 Administration Guide 257

Fortinet Inc.
 Security Profiles

File filter rules available in the sniffer policy

File filter rules can be used in one-arm sniffer policies in the CLI.
The following example shows how to configure a file filter profile that blocks PDF and RAR files used in a one-arm sniffer
policy:
config file-filter profile
edit "sniffer-profile"
set comment "File type inspection."
config rules
edit "1"
set protocol http ftp smtp imap pop3 cifs
set action block
set file-type "pdf" "rar"
next
end
next
end

Create or edit a file filter rule

You can create or edit rules for the file filter profile.

To create a file filter rule:

1. Go to Security Profiles > File Filter.

2. Click Create New or select a file filter profile and then click Edit.
3. In the Rules table, select Create New. The Create New File Filter Rule window opens.
4. Enter the name of the file filter rule.
5. Enter an optional description of the file filter rule.
6. Select one or more protocols.
7. Select Incoming, Outgoing, or Both.
8. Enable Password-protected only if you want to just match password-protected files.
9. Select the file types to match.
10. Select the action to take when the rule is matched:
l Block: Block access to any file that matches the rule.
l Monitor: Monitor traffic to and from files matching the rule.
11. Click OK to save the file filter rule.
12. Click OK to save the file filter profile.

To edit a file filter rule:

1. Go to Security Profiles > File Filter.

2. Click Create New or select a file filter profile and then click Edit.
3. In the Rules table, double-click on a rule or select the rule and then click Edit in the toolbar.
4. Edit the rule settings as required.

FortiProxy 7.0 Administration Guide 258

Fortinet Inc.
 Security Profiles

5. Click OK to save your changes to the file filter rule.

6. Click OK to save the file filter profile.

Email Filter

Email filters perform spam detection and filtering. You can customize the default profile or create your own and apply it to
a firewall policy.
NOTE: Two kinds of filtering can be defined in a single profile, and they will act independent of one another.
Filter options can be organized according to the source of the decision:
l Local options: The FortiProxy unit qualifies the email based on local conditions, such as block/allowlists, banned
words, or DNS checks using FortiGuard Antispam.
l FortiGuard-based options: The FortiProxy unit qualifies the email based on the score or verdict returned from
FortiGuard Antispam.
l Third-party options: The FortiProxy unit qualifies the email based on information from a third-party source (like an
ORB list).
Local and FortiGuard block/allowlists can be enabled and combined in a single profile. When combined, the local
block/allowlist has a higher priority than the FortiGuard block list during a decision making process. For example, if a
client IP address is blocklisted in the FortiGuard server, but you want to override this decision and allow the IP to pass
through the filter, you can define the IP address or subnet in a local block/allowlist with the clear action. Because the
information coming from the local list has a higher priority than the FortiGuard service, the email will be considered clean.
NOTE: Some features of this functionality require a subscription to FortiGuard Antispam.
To view available email filter profiles, go to Security Profiles > Email Filter.

Hover over the leftmost edge of the column heading to display the Configure Table icon, which you can use to select the
columns to display or to reset all the columns to their default settings. You can also drag column headings to change
their order.
The following options are available:

Create New Create an email filter profile. See Create or edit an email filter profile on page 260.

Edit Modify the selected email filter profile. See Create or edit an email filter profile on
page 260.

Clone Make a copy of the selected email filter profile.

Delete Remove the selected email filter profile.

Search Enter a search term to find in the email filter profile list.

Name The name of the email filter profile.

FortiProxy 7.0 Administration Guide 259

Fortinet Inc.
 Security Profiles

Comments An optional description of the email filter profile.

Ref. Displays the number of times the object is referenced to other objects.
To view the location of the referenced object, select the number in Ref.; the Object
Usage window opens and displays the various locations of the referenced object.

Create or edit an email filter profile

Click Create New to open the New Email Filter Profile window.

Select an email filter profile and then click Edit to open the Edit Email Filter Profile window.
Configure the following settings in the New Email Filter Profile window and then click OK:

Name The name of the email filter profile.

Comments Optional description of the email filter profile.

Enable spam detection and Enable if you want to detect and filter spam.
filtering

FortiProxy 7.0 Administration Guide 260

Fortinet Inc.
Security Profiles

Spam Detection by Protocol For each protocol, select whether to tag, pass, or discard spam. If you selected to
tag spam, select where the tag is placed and the tag format.

IP Address Check The FortiProxy unit queries the FortiGuard Anti-Spam Service to determine if the
IP address of the client delivering the email is blacklisted. A match will cause the
FortiProxy unit to treat delivered messages as spam.
When you enable FortiGuard IP address checking, your FortiProxy unit will submit
the IP address of the client to the FortiGuard service for checking. If the IP
address exists in the FortiGuard IP address black list, your FortiProxy unit will
treat the message as spam.

URL check When you enable FortiGuard URL checking, your FortiProxy unit will submit all
URLs appearing in the email message body to the FortiGuard service for
checking. If a URL exists in the FortiGuard URL block list, your FortiProxy unit will
treat the message as spam.

Detect Phishing URLs in Email When you enable FortiGuard phishing URL detection, your FortiProxy unit will
submit all URL hyperlinks appearing in the email message body to the FortiGuard
service for checking. If a URL exists in the FortiGuard URL phishing list, your
FortiProxy unit will remove the hyperlink from the message. The URL will remain
in place, but it will no longer be a selectable hyperlink.

Email Checksum Check Enable this option to check the email checksum.

Spam Submission Spam submission is a way you can inform the FortiGuard Anti-Spam service of
non-spam messages incorrectly marked as spam. When you enable this setting,
the FortiProxy unit adds a link to the end of every message marked as spam. You
then select this link to inform the FortiGuard Anti-Spam service when a message
is incorrectly marked.

HELO DNS Lookup Whenever a client opens an SMTP session with a server, the client sends a HELO
command with the client domain name. The FortiProxy unit takes the domain
name specified by the client in the HELO and does a DNS lookup to determine if
the domain exists. If the lookup fails, the FortiProxy unit determines that any
messages delivered during the SMTP session are spam.
The HELO DNS lookup is available only for SMTP traffic.

Return Email DNS Check When you enable return email DNS checking, your FortiProxy unit will take the
domain in the reply-to email address and reply-to domain and check the DNS
servers to see if there is an A or MX record for the domain. If the domain does not
exist, your FortiProxy unit will treat the message as spam.

Block/Allow List Enable to block web sites when their SSL certificate CN field does not contain a
valid domain name.

API Preview The API Preview allows you to view all REST API requests being used by the
page. You can make changes on the page that are reflected in the API request
preview. This feature is not available if the user is logged in as an administrator
that has read-only GUI permissions.

FortiProxy 7.0 Administration Guide 261

Fortinet Inc.
Security Profiles

To use the API Preview:

1. Click API Preview. The API Preview pane opens, and the values for the fields are visible (data). If a new object is
being created, the POST request is shown.
2. Enable Show modified changes only to show the modified changes instead of the full configuration in the preview.
3. Click Copy to Clipboard to copy the JSON code shown on the preview screen to the clipboard.
4. Click Close to leave the preview.

Web Application Firewall

Web application firewall (WAF) profiles can detect and block known web application attacks. You can configure WAF
profiles to use signatures and constraints to examine web traffic. You can also enforce an HTTP method policy, which
controls the HTTP method that matches the specified pattern.
You can customize the default profile, or you can create your own profile to apply access rules and HTTP protocol
constraints to traffic. You can apply WAF profiles to firewall policies when the inspection mode is set to proxy-based.
To view available WAF profiles, go to Security Profiles > Web Application Firewall.

Hover over the leftmost edge of the column heading to display the Configure Table icon, which you can use to select the
columns to display or to reset all the columns to their default settings. You can also drag column headings to change
their order.
The following options are available:

Create New Create a WAF profile. See Create or edit a web application firewall profile on page
263.

Edit Modify the selected WAF profile. See Create or edit a web application firewall
profile on page 263.

Clone Make a copy of the selected WAF profile.

Delete Remove the selected WAF profile.

Search Enter a search term to find in the WAF profile list.

Name The name of the WAF profile.

Comments An optional description of the WAF profile.

Ref. Displays the number of times the object is referenced to other objects.
To view the location of the referenced object, select the number in Ref.; the Object
Usage window opens and displays the various locations of the referenced object.

FortiProxy 7.0 Administration Guide 262

Fortinet Inc.
 Security Profiles

Create or edit a web application firewall profile

Click Create New to open the New Web Application Firewall Profile window.

FortiProxy 7.0 Administration Guide 263

Fortinet Inc.
Security Profiles

FortiProxy 7.0 Administration Guide 264

Fortinet Inc.
 Security Profiles

Select a web filter profile and then click Edit to open the Edit Web Application Firewall Profile window.
Configure the following settings in the New Web Application Firewall Profile window and then click OK:

Name The name of the WAF profile.

Comments Optional description of the WAF profile.

Signatures Select a signature and click Edit to change the action, severity, and status.

Constraints Select a constraint and click Edit to change the action, severity, and status.

Enforce HTTP Method Policy Enable this option and create or edit a method policy. See Create or edit a method
policy on page 265.

API Preview The API Preview allows you to view all REST API requests being used by the
page. You can make changes on the page that are reflected in the API request
preview. This feature is not available if the user is logged in as an administrator
that has read-only GUI permissions.

To use the API Preview:

1. Click API Preview. The API Preview pane opens, and the values for the fields are visible (data). If a new object is
being created, the POST request is shown.
2. Enable Show modified changes only to show the modified changes instead of the full configuration in the preview.
3. Click Copy to Clipboard to copy the JSON code shown on the preview screen to the clipboard.
4. Click Close to leave the preview.

Create or edit a method policy

You can create or edit an HTTP method policy.

To create a method policy:

1. Go to Security Profiles > Web Application Firewall.

2. Click Create New or select a web application firewall profile and then click Edit.
3. Enable Enforce HTTP Method Policy.
4. In the HTTP Method Policy section, select Create New.
5. Enter a pattern.
6. Select the pattern type, either Regex or Simple.
7. Select one or more allowed HTTP methods.
8. Click OK.

To edit a method policy:

1. Go to Security Profiles > Web Application Firewall.

2. Click Create New or select a web application firewall profile and then click Edit.
3. Enable Enforce HTTP Method Policy.

FortiProxy 7.0 Administration Guide 265

Fortinet Inc.
 Security Profiles

4. Select the HTTP method policy that you want to edit and then click Edit from the toolbar. The Edit Method Policy
window opens.
5. Edit the information as required and then click OK to apply your changes.

SSL/SSH Inspection

Secure sockets layer (SSL) content scanning and inspection allows you to apply antivirus scanning, web filtering, and
email filtering to encrypted traffic. You can apply SSL inspection profiles to firewall policies.
Deep inspection (also known as SSL/SSH inspection) is typically applied to outbound policies where destinations are
unknown. Depending on your policy requirements, you can configure the following:
l Which CA certificate will be used to decrypt the SSL encrypted traffic
l Which SSL protocols will be inspected
l Which ports will be associated with which SSL protocols for inspection
l Whether or not to allow invalid SSL certificates
l Whether or not SSH traffic will be inspected
l Which addresses or web category allowlists can bypass SSL inspection

SSL/SSH inspection profile

To view the available SSL/SSH inspection profiles, go to Security Profiles > SSL/SSH Inspection.

Hover over the leftmost edge of the column heading to display the Configure Table icon, which you can use to select the
columns to display or to reset all the columns to their default settings. You can also drag column headings to change
their order.
The following options are available:

Create New Create an SSL/SSH inspection profile. See Create or edit an SSL/SSH inspection
profile on page 267.

Edit Modify the selected SSL/SSH inspection profile. See Create or edit an SSL/SSH
inspection profile on page 267.

Clone Make a copy of the selected SSL/SSH inspection profile.

Delete Remove the selected SSL/SSH inspection profile.

FortiProxy 7.0 Administration Guide 266

Fortinet Inc.
 Security Profiles

Search Enter a search term to find in the SSL/SSH inspection profile list.

Name The name of the SSL/SSH inspection profile.

Read Only The certificate-inspection, deep-inspection, and no-inspection

profiles are read only and cannot be edited.

Comments An optional description of the SSL/SSH inspection profile.

Ref. Displays the number of times the object is referenced to other objects.
To view the location of the referenced object, select the number in Ref.; the Object
Usage window opens and displays the various locations of the referenced object.

Create or edit an SSL/SSH inspection profile

The FortiProxy unit includes four preloaded SSL/SSH inspection profiles, three of which are read-only and can be
cloned:
l certificate-inspection
l deep-inspection
l no-inspection

The custom-deep-inspection profile can be edited, or you can create your own SSL/SSH inspection profiles.
To create an SSL/SSH inspection profile, go to Security Profiles > SSL/SSH Inspection and click Create New.

FortiProxy 7.0 Administration Guide 267

Fortinet Inc.
Security Profiles

Configure the following settings and then click OK to save your changes:

Name Give the profile an easily identifiable name that references its intent.

Comments Enter any additional information that might be needed by administrators, as a

reminder of the profileʼs purpose and scope. This setting is optional.

SSL Inspection Options

FortiProxy 7.0 Administration Guide 268

Fortinet Inc.
Security Profiles

Enable SSL Inspection of l Multiple Clients Connecting to Multiple Servers—Select this option for
generic policies where the destination is unknown. The Exempt from
SSL Inspection and Common Options options are only available with this
option enabled.
l Protecting SSL Server—Select this option when setting up a profile
customized for a specific SSL server with a specific certificate.

Server certificate Click + and select a certificate or click Create to import a certificate.
This option is available only when Protecting SSL Server is selected.

Inspection Method This option is available only when Multiple Clients Connecting to Multiple Servers
is selected.
l SSL Certificate Inspection—Only inspects the certificate, not the contents of

the traffic.
l Full SSL Inspection—Inspects all of the traffic.

CA Certificate Select a CA certificate from the drop-down menu or select Download

Certificate.You need to have the certificate installed in your browser, or you might
see certificate warnings.
This option is available only when Multiple Clients Connecting to Multiple Servers
is selected.

Blocked certificates The FortiProxy unit receives Botnet C&C SSL connections from FortiGuard that
contain SHA1 fingerprints of malicious certificates. By default, these certificates
are blocked. Click View Blocked Certificates to see a detailed list.

Untrusted SSL certificates Configure the action to take when a server certificate is not issued by a trusted
CA.
l Allow: Allow the untrusted server certificate. This is the default value.

l Block: Block the session.

l Ignore: This option is for Full SSL inspection only. It re-signs the server
certificate as trusted. When configured in the GUI for certificate inspection, it
has no effect, and the setting is not saved.
Click View Trusted CAs List to see a list of the factory bundled and user imported
CAs that are trusted by the FortiProxy unit.

Server certificate SNI check Check the SNI in the hello message with the CN or SAN field in the returned
server certificate.
l Enable: If mismatched, use the CN in the server certificate to do URL

filtering.
l Strict: If mismatched, close the connection.
l Disable: Server certificate SNI check is disabled.

Enforce SSL cipher Enable to enforce SSL cipher compliance.

compliance

Enforce SSL negotiation Enable to enforce SSL negotiation compliance.

compliance

RPC over HTTPS Enable to allow RPC over HTTPS.

FortiProxy 7.0 Administration Guide 269

Fortinet Inc.
Security Profiles

Protocol Port Mapping To optimize the resources of the unit, enable or disable the mapping and
inspection of protocols. The default port numbers are automatically filled in, but
you can change them.

Exempt from SSL Inspection Exempt web categories or specific addresses from SSL inspection. This section is
available only when Multiple Clients Connecting to Multiple Servers and a
protocol under Protocol Port Mapping are enabled.

Reputable Websites Enable this option to exempt any websites identified by FortiGuard as reputable.

Web Categories By default, the categories of Finance and Banking, Health and Wellness, and
Personal Privacy have been added because they are most likely to require a
specific certificate.
Click + to add web categories to be exempt from SSL inspection.

Addresses Click + to add web addresses to be exempt from SSL inspection.

Log SSL exemptions Enable this option to log all SSL exemptions.

SSH Inspection Options

SSH Deep Scan Enable to perform SSH deep scan and then enter the SSH port to use for the SSH
deep scan.

Common Options This section is available only when Multiple Clients Connecting to Multiple
Servers is selected.

Invalid SSL Certificates l Select Allow to allow traffic with invalid certificate.
l Select Block to block traffic with an invalid certificate.
l Select Custom to display more options.

Expired certificates Select the action to take when the server certificate is expired. The default action
is block.
This option is available only when Custom is selected.

Revoked certificates Select the action to take when the server certificate is revoked. The default action
is block.
This option is available only when Custom is selected.

Validation timed-out Select the action to take when the server certificate validation times out. The
certificates default action is to keep untrusted and allow.
This option is available only when Custom is selected.

Validation failed certificates Select the action to take when the server certificate validation fails. The default
action is block.
This option is available only when Custom is selected.

Log SSL anomalies Enable this option to record traffic sessions containing untrusted or expired
certificates.

API Preview The API Preview allows you to view all REST API requests being used by the
page. You can make changes on the page that are reflected in the API request
preview. This feature is not available if the user is logged in as an administrator
that has read-only GUI permissions.

FortiProxy 7.0 Administration Guide 270

Fortinet Inc.
Security Profiles

To use the API Preview:

1. Click API Preview. The API Preview pane opens, and the values for the fields are visible (data). If a new object is
being created, the POST request is shown.
2. Enable Show modified changes only to show the modified changes instead of the full configuration in the preview.
3. Click Copy to Clipboard to copy the JSON code shown on the preview screen to the clipboard.
4. Click Close to leave the preview.

SSL options can be configured in SSL/SSH profiles even when the protocol is disabled

HTTP/2 support in SSL inspection

Starting in FortiProxy 7.0.0, security profiles can perform SSL inspection on HTTP/2 traffic that is secured by TLS 1.2 or
1.3 using the Application-Layer Protocol Negotiation (ALPN) extension.

To set the ALPN support:

config firewall ssl-ssh-profile

edit <profile>
set supported-alpn {all | http1-1 | http2 | none}
next
end

Multiple certificates can be defined in an SSL profile in replace mode

Multiple certificates can be defined in an SSL inspection profile in replace mode (Protecting SSL Server). This allows
multiple sites to be deployed on the same protected server IP address, and inspection based on matching the SNI in the
certificate.
When the FortiProxy unit receives the client and server hello messages, it will compare the SNI and CN with the
certificate list in the SSL profile, and use the matched certificate as a replacement. If there is no matched server
certificate in the list, the first server certificate in the list is used as a replacement.

To configure an SSL profile in replace mode with multiple certificates:

config firewall ssl-ssh-profile

edit "multi-cert"
set server-cert-mode replace
set server-cert "bbb" "aaa"
next
end

To configure a policy that uses the SSL profile:

config firewall policy

edit 1
set name "multi-cert"
set srcintf "port6"

FortiProxy 7.0 Administration Guide 271

Fortinet Inc.
Security Profiles

set dstintf "port11"

set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set utm-status enable
set ssl-ssh-profile "multi-cert"
set av-profile "default"
set webfilter-profile "default"
set logtraffic all
next
end

Results

If the Server Name Identification (SNI) matches the Common Name (CN) in the certificate list in the SSL profile, then the
FortiProxy unit uses the matched server certificate.
If the Server Name Identification (SNI) does not match the Common Name (CN) in the certificate list in the SSL profile,
then the FortiProxy unit uses the first server certificate in the list.

DNS inspection with DoT and DoH

DNS over TLS (DoT) and DNS over HTTPS (DoH) are supported in DNS inspection. Before FortiProxy 7.0.0, DoT and
DoH traffic silently passes through the DNS proxy. In FortiProxy 7.0.0, the WAD is able to handle DoT and DoH and
redirect DNS queries to the DNS proxy for further inspection.

To configure DNS inspection of DoT and DoH queries in the CLI:

1. Configure the SSL-SSH profile:

config firewall ssl-ssh-profile
edit "ssl"
config dot
set status deep-inspection
set client-certificate bypass
set unsupported-ssl-version block
set unsupported-ssl-cipher allow
set unsupported-ssl-negotiation allow
set expired-server-cert block
set revoked-server-cert block
set untrusted-server-cert allow
set cert-validation-timeout allow
set cert-validation-failure block
end
next
end

2. Configure the DNS filter profile:

config dnsfilter profile
edit "dnsfilter"
config ftgd-dns
config filters

FortiProxy 7.0 Administration Guide 272

Fortinet Inc.
Security Profiles

edit 1
set category 30
set action block
next
end
end
set block-botnet enable
next
end

3. Configure the firewall policy:

config firewall policy
edit 1
set srcintf "port1"
set dstintf "port3"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set utm-status enable
set profile-protocol-options "protocol"
set ssl-ssh-profile "ssl"
set webfilter-profile "webfilter"
set dnsfilter-profile "dnsfilter"
next
end

Client authentication with an SSL client certificate for the Original Content Server

Starting in FortiProxy 7.0.1, FortiProxy can provide a client certificate for authentication to the Original Content Server on
behalf of a user.
To use the SSL client certificate for server authentication:
l Set the client certificate to inspect under the config https command.
l Set the status of the SSL client certificate to keyring-list or ca-sign.
l The keyring-list setting matches the user name to the Common Name of the SSL client certificate in the
keyring list for authenticated users. See SSL Keyring on page 81.
l The ca-sign setting provides an SSL client certificate signed by a configured CA for authenticated users. The

signed client certificate has the Common Name set to the authenticated userʼs user name.
By default, the status of the SSL client certificate is set to do-not-offer, which means that the SSL client
certificate is not provided.

To provide an SSL client certificate from the keyring list:

config firewall ssl-ssh-profile

edit <profile_name>
config https
set client-certificate inspect
end
config ssl-client-certificate
set status keyring-list
set keyring-list <keyring_list_used_to_find_client_certificate>
end

FortiProxy 7.0 Administration Guide 273

Fortinet Inc.
Security Profiles

next
end

To provide an SSL client certificate signed by a CA:

config firewall ssl-ssh-profile

edit <profile_name>
config https
set client-certificate inspect
end
config ssl-client-certificate
set status ca-sign
set caname <CA_certficate_used_to_sign_client_certificate>
end
next
end

Use the FortiProxy CLI to specify which keyring list to use for the SSL client certificate. The universally unique identifiers
(UUIDs) are automatically assigned. See SSL Keyring on page 81 for information about uploading keyring lists.

To specify the keyring list to use for the SSL client certificate:

config firewall ssl keyring-list

edit <keyring_list_used_to_find_client_certificate>
next
end

Disable IP-based URL rating

You can disable IP-based URL rating for SSL-exemption and proxy-address objects. By default, IP -based URL rating is
enabled.

To configure IP-based URL rating in an SSL/SSH inspection profile:

config firewall ssl-ssh-profile

edit <name>
set ssl-exemption-ip-rating {enable | disable}
next
end

To configure IP-based URL rating in web proxy settings:

config firewall profile-protocol-options

edit <protocol>
config http
set address-ip-rating {enable | disable}
end
next
end

FortiProxy 7.0 Administration Guide 274

Fortinet Inc.
Security Profiles

Application Signatures

The FortiProxy predefined signatures cover common attacks. If you use an unusual or specialized application or an
uncommon platform, add custom signatures based on the security alerts released by the application and platform
vendors.
You can create custom IPS signatures and custom application signatures to further extend protection. For example, you
can use custom IPS signatures to protect unusual or specialized applications or even custom platforms from known and
unknown attacks.
All custom signatures follow a particular syntax. Each begins with a header and is followed by one or more keywords. A
custom signature definition is limited to a maximum length of 512 characters. A definition can be a single line or span
multiple lines connected by a backslash (\) at the end of each line.
A custom signature definition begins with a header, followed by a set of keyword/value pairs enclosed by parenthesis [( 
)]. The keyword and value pairs are separated by a semicolon (;) and consist of a keyword and a value separated by a
space. The following is the basic format of a definition:
HEADER (KEYWORD VALUE;)

You can use as many keyword/value pairs as required within the 512-character limit.
To view the available custom application signatures, go to Security Profiles > Application Signatures and click Signature.
Custom application signatures are listed under a separate heading in the table. To create a custom application
signature, see Create or edit an application signature on page 276.

FortiProxy 7.0 Administration Guide 275

Fortinet Inc.
 Security Profiles

To view the available custom application groups, go to Security Profiles > Application Signatures and click Group.To
create a custom application group, see Create or edit an application group on page 277.

Create or edit an application signature

If you have to detect an application that is not already in the application list, you can create an application signature:
1. Go to Security Profiles > Application Signatures and select Create New > Custom Application Signature. You can
also go to Security Profiles > Application Control, click Create New, click View Application Signatures, and select
Create New > Custom Application Signature.
2. Enter a name (no spaces) for the application signature in the Name field.
3. Enter a brief description in the Comments field.

FortiProxy 7.0 Administration Guide 276

Fortinet Inc.
 Security Profiles

4. Enter the text for the signature in the Signature field. The syntax for signatures is described in Valid syntax on page
277.
5. Click OK.

You can edit application signatures that you have created. Select the application signature and then click Edit.

Valid syntax

The following table shows the valid characters and basic structure. For details about each keyword and its associated
values, see Custom signature keywords on page 488.

Field Valid Characters Usage

HEADER F-SBID The header for an attack definition signature.

Each custom signature must begin with this
header.

KEYWORD Each keyword must start with a pair of dashes (--) The keyword identifies a parameter.
and consist of a string of 1 to 19 characters.
Normally, keywords are an English word or English
words connected by an underscore (_). Keywords
are case insensitive.

VALUE Double quotes (") must be used around the value if The value is set specifically for a parameter
it contains a space and/or a semicolon (;). If the identified by a keyword.
value is NULL, the space between the KEYWORD
and VALUE can be omitted. Values are case
sensitive.
NOTE: If double quotes are used for quoting the
value, the double quotes are not considered as part
of the value string.

Create or edit an application group

Starting in FortiProxy 7.0.0, when creating an application group, you can now define the application group by protocols,
risk, vendor, technology, behavior, popularity, and category.

To create an application group in the CLI:

config application group

edit <name>
set comment <string>
set type {application | filter}
set application <application_ID>
set category <2 | 3 | 5-8 | 12 | 15 | 17 | 21-23 | 25 | 26 | 28-32>
set risk <1-5>
set protocols <0-47 | all>
set vendor <0-25 | all>
set technology <all | 0-4>
set behavior <all | 2 | 5 | 6 | 9>
set popularity <1-6>

FortiProxy 7.0 Administration Guide 277

Fortinet Inc.
Security Profiles

next
end

To create an application group:

1. Go to Security Profiles > Application Signatures.

2. Select Create New > Application Group.
3. Enter a group name.
4. Select the group type, either Application or Filter.
5. Click + to add members to the group.
6. Enter an optional description of the group.
7. Click OK.

To edit an application group:

1. Go to Security Profiles > Application Signatures.

2. Select Group.
3. Select a group name and click Edit.
4. Make your changes.
5. Click OK.

IPS Signatures

The FortiProxy predefined signatures cover common attacks. If you use an unusual or specialized application or an
uncommon platform, add custom signatures based on the security alerts released by the application and platform
vendors.
You can create custom IPS signatures and custom application signatures to further extend protection. For example, you
can use custom IPS signatures to protect unusual or specialized applications or even custom platforms from known and
unknown attacks.
All custom signatures follow a particular syntax. Each begins with a header and is followed by one or more keywords. A
custom signature definition is limited to a maximum length of 512 characters. A definition can be a single line or span
multiple lines connected by a backslash (\) at the end of each line.
A custom signature definition begins with a header, followed by a set of keyword/value pairs enclosed by parenthesis [( 
)]. The keyword and value pairs are separated by a semicolon (;) and consist of a keyword and a value separated by a
space. The following is the basic format of a definition:
HEADER (KEYWORD VALUE;)

You can use as many keyword/value pairs as required within the 512-character limit.
To view the available custom IPS signatures, go to Security Profiles > IPS Signatures. Custom IPS signatures are listed
under a separate heading inthe table.

FortiProxy 7.0 Administration Guide 278

Fortinet Inc.
 Security Profiles

To create a custom IPS signature, see Create or edit an IPS signature on page 280.

Highlight of on-hold IPS signatures

Starting in FortiProxy 7.0.0, IPS signatures that are on hold (administrator-added delay for activation time) are
highlighted in the GUI as follows:
l On-hold signatures are grayed out with an hourglass icon beside the signature name.
l The signature tooltip displays the on hold expiry time.
l Users can still use on-hold signatures in an IPS sensor profile; however, the profile will not block matching traffic. It
will monitor it instead (logging in effect) until the on hold time expires.

FortiProxy 7.0 Administration Guide 279

Fortinet Inc.
 Security Profiles

After a hold time is configured in the CLI, go to Security Profiles > IPS Signatures. Hover over the grayed-out entry to
view the tooltip, which includes the action and hold time expiry.
The same tooltip is available on the Edit IPS Sensor (Security Profiles > Intrusion Prevention) page when creating or
editing the IPS signatures. In the Add Signatures pane when the Type is Signature, on-hold signatures are only
displayed as on hold if override-signature-hold-by-id is enabled.

Create or edit an IPS signature

You can create an IPS signature.

To create an IPS signature:

1. Go to Security Profiles > IPS Signatures and click Create New. You can also go to Security Profiles > Intrusion
Prevention, click Create New, click View IPS Signatures, and click Create New.
2. Enter a name (no spaces) for the IPS signature in the Name field.
3. Enter a brief description in the Comments field
4. Enter the text for the signature in the Signature field. The syntax for signatures is described in Valid syntax on page
280.
5. Click OK.

You can also edit IPS signatures that you have created. Select the IPS signature and then click Edit.

Valid syntax

The following table shows the valid characters and basic structure. For details about each keyword and its associated
values, see Custom signature keywords on page 488.

Field Valid Characters Usage

HEADER F-SBID The header for an attack definition signature.

Each custom signature must begin with this
header.

KEYWORD Each keyword must start with a pair of dashes (--) The keyword identifies a parameter.
and consist of a string of 1 to 19 characters.
Normally, keywords are an English word or English
words connected by an underscore (_). Keywords
are case insensitive.

VALUE Double quotes (") must be used around the value if The value is set specifically for a parameter
it contains a space and/or a semicolon (;). If the identified by a keyword.
value is NULL, the space between the KEYWORD
and VALUE can be omitted. Values are case
sensitive.
NOTE: If double quotes are used for quoting the
value, the double quotes are not considered as part
of the value string.

FortiProxy 7.0 Administration Guide 280

Fortinet Inc.
Security Profiles

Web Rating Overrides

This feature allows you to override the FortiGuard web filtering. You can change the rating for a web site and control
access to the site without affecting the rest of the sites in the original category.
To override the FortiGuard web rating, go to Security Profiles > Web Rating Overrides.

Hover over the leftmost edge of the column heading to display the Configure Table icon, which you can use to select the
columns to display or to reset all the columns to their default settings. You can also drag column headings to change
their order.
The following options are available:

Create New Create a web rating override. See Create or edit a web rating override on page
282.

Edit Modify the selected web rating override. See Create or edit a web rating override
on page 282.

Delete Remove the selected web rating override.

Status Select Enable or Disable to make the override active or inactive.

Custom Categories Select to create a custom category for groups of URLs. See Create or edit a
custom category on page 283.

Search Enter a search term to find in the web rating override list.

Show original categories Enable to add the Original Category column, which shows the categories that are
being overridden.

URL The URL of a web site.

Status Whether the override is enabled or disabled.

Comments An optional description of the web rating override

Ref. Displays the number of times the object is referenced to other objects.
To view the location of the referenced object, select the number in Ref.; the Object
Usage window opens and displays the various locations of the referenced object.

Override Category The new category for the web site.

Original Category The category that the web site originally belonged to.

FortiProxy 7.0 Administration Guide 281

Fortinet Inc.
 Security Profiles

Create or edit a web rating override

Click Create New to open the New Web Rating Override window.

To open the Edit Web Rating Override window, select a web rating override from the list and then click Edit.
Configure the following settings and then click OK to save your changes:

URL Enter the URL of a website.

Lookup Rating Click to find the FortiGuard rating if it exists for the URL you entered.

Comments Enter an optional description of the web rating override.

Category Select the new category for the website.

FortiProxy 7.0 Administration Guide 282

Fortinet Inc.
 Security Profiles

Sub-Category Select a more narrowly defined option within the category that you selected for the
website.

API Preview The API Preview allows you to view all REST API requests being used by the
page. You can make changes on the page that are reflected in the API request
preview. This feature is not available if the user is logged in as an administrator
that has read-only GUI permissions.

To use the API Preview:

1. Click API Preview. The API Preview pane opens, and the values for the fields are visible (data). If a new object is
being created, the POST request is shown.
2. Enable Show modified changes only to show the modified changes instead of the full configuration in the preview.
3. Click Copy to Clipboard to copy the JSON code shown on the preview screen to the clipboard.
4. Click Close to leave the preview.

Create or edit a custom category

Click Custom Categories to open the Custom Categories window.

To create a category for a group of web sites:

1. Go to Security Profiles > Web Rating Overrides.

2. Click Custom Categories. The Custom Categories window opens.
3. Click Create New.
4. Enter the name of the custom category.
5. Click Enable to make the custom category active.
6. Click OK.

To use the new category, select the Custom Categories category in the New Web Rating Override window or the Edit
Web Rating Override window. The new categories are listed in the Sub-Category drop-down menu.
To edit a custom category, select a category from the list and then click Edit.

Web Profile Overrides

Administrators can grant temporary access to sites that are otherwise blocked by a web filter profile. You can grant
temporary access to a user, user group, or source IP address. You can set the time limit by selecting a date and time.
The default is 15 minutes.

FortiProxy 7.0 Administration Guide 283

Fortinet Inc.
 Security Profiles

When the administrative web profile override is enabled, a blocked access page or replacement message does not
appear, and authentication is not required.
To override the web filter profile, go to Security Profiles > Web Profile Overrides.

Hover over the leftmost edge of the column heading to display the Configure Table icon, which you can use to select the
columns to display or to reset all the columns to their default settings. You can also drag column headings to change
their order.
The following options are available:

Create New Create a web profile override. See Create or edit a web profile override on page
284.

Edit Modify the selected web profile override. See Create or edit a web profile override
on page 284.

Delete Remove the selected web profile override.

Search Enter a search term to find in the web profile override list.

Initiator The user who created the web profile override.

Scope The scope is a user, a user group, or a source IP address.

Original Profile The web filter profile that is being overridden.

New Profile The web filter profile that is overriding the original web filter profile.

Status Whether the override is enabled or disabled.

Expires The day and time when the override ends.

Create or edit a web profile override

Click Create New to open the New Administrative Override window.

FortiProxy 7.0 Administration Guide 284

Fortinet Inc.
Security Profiles

To open the Edit Administrative Override window, select a web profile override from the list and then click Edit.
Configure the following settings and then click OK to save your changes:

Scope range Select one of the following scope ranges:

l User: Authentication for permission to override is based on whether or not

the user is using a specific user account.

l User group: Authentication for permission to override is based on whether or

not the user account supplied as a credential is a member of the specified

user group.
l Source IP: Authentication for permission to override is based on the IP

address of the computer that was used to authenticate. This would be used
for computers that have multiple users. For example, if a user logs on to the

FortiProxy 7.0 Administration Guide 285

Fortinet Inc.
Security Profiles

computer, engages the override by using their credentials, and then logs off,
anyone who logs on with an account on that computer would be using the
alternate override web filter profile.

User If you selected User for the scope range, select or create the user. See Create a
user on page 371.

User group If you selected User group for the scope range, select or create the user group.
See Create or edit a user group on page 377.

Source IP If you selected Source IP for the scope range, enter the source IP address.

Original profile Select or create a web filter profile to override. See Create or edit a web filter
profile on page 231.

New profile Select or create a web filter profile that will override the original web filter profile.
See Create or edit a web filter profile on page 231.

Expires Select the date and time when the override ends.

Status Enable to make the override active.

API Preview The API Preview allows you to view all REST API requests being used by the
page. You can make changes on the page that are reflected in the API request
preview. This feature is not available if the user is logged in as an administrator
that has read-only GUI permissions.

References Click to open the object usage page to show which other configuration are
referencing the object.

Edit in CLI Click to open a CLI console window to view and edit the setting in the CLI. If there
are multiple CLI settings on the page, the CLI console shows the first setting.

To use the API Preview:

1. Click API Preview. The API Preview pane opens, and the values for the fields are visible (data). If a new object is
being created, the POST request is shown.
2. Enable Show modified changes only to show the modified changes instead of the full configuration in the preview.
3. Click Copy to Clipboard to copy the JSON code shown on the preview screen to the clipboard.
4. Click Close to leave the preview.

Profile Groups

Profile groups are used to group security profiles of different types together, and can be used in policies instead of
individual profiles.

To create a profile group in the GUI:

1. Go to Security Profiles > Profile Groups and click Create New.

2. Enter a name for the group.
3. Select the Protocol Options from the drop-down list.

FortiProxy 7.0 Administration Guide 286

Fortinet Inc.
Security Profiles

4. Enable the required profile types and select a profile for each.

5. Click OK.

To create a profile group in the CLI:

config firewall profile-group

edit <name>
set profile-protocol-options <options>
set ssl-ssh-profile {certificate-inspection | custom-deep-inspection | deep-
inspection | no-inspection}
set av-profile <profile>
set ia-profile <profile>
set webfilter-profile <profile>
set dnsfilter-profile <profile>
set emailfilter-profile <profile>
set dlp-sensor <sensor>
set file-filter-profile <profile>
set ips-sensor <sensor>
set application-list <list>
set icap-profile <profile>
set cifs-profile <profile>
set videofilter-profile <profile>
set ssh-filter-profile <profile>
next
end

To use a profile group in a policy:

config firewall policy

edit <policy>
set profile-type group
set profile-group <group>
next
end

Data Leak Prevention

The data leak prevention (DLP) system allows you to prevent sensitive data from leaving your network. After sensitive
data patterns are defined, data matching the patterns will either be blocked or logged and then allowed.

FortiProxy 7.0 Administration Guide 287

Fortinet Inc.
Security Profiles

The DLP system is configured by creating filters based on various attributes and expressions within DLP sensors and
then assigning the sensors to security policies.
DLP can also be used to prevent unwanted data from entering your network and to archive content passing through the
FortiProxy device.
A DLP sensor is a package of filters. To use DLP, select and enable a DLP sensor in a security policy. The traffic
controlled by the security policy will be searched for the patterns defined in the filters contained in the DLP sensor.
Matching traffic will be passed or blocked according to the filters.
To view available DLP sensors, go to Security Profiles > Data Leak Prevention.

Hover over the leftmost edge of the column heading to display the Configure Table icon, which you can use to select the
columns to display or to reset all the columns to their default settings. You can also drag column headings to change
their order.
The following options are available:

Create New Create a DLP sensor. See Create or edit a DLP sensor on page 289.

Edit Modify the selected DLP sensor. See Create or edit a DLP sensor on page 289.

Clone Make a copy of a DLP sensor.

Delete Remove the selected DLP sensor.

Search Search for text in any column.

Name The name of the DLP sensor.

Comments Optional description of the sensor.

Ref. Displays the number of times the object is referenced to other objects.
To view the location of the referenced object, select the number in Ref.; the Object
Usage window opens and displays the various locations of the referenced object.

DLP Log Logging when data matches the configured patterns is enabled or disabled.

FortiProxy 7.0 Administration Guide 288

Fortinet Inc.
 Security Profiles

Create or edit a DLP sensor

To configure a DLP sensor, go to Security Profiles > Data Leak Prevention and click Create New.

Configure the following settings and select OK to save your changes:

Name Enter he name of the DLP sensor.

Comments An optional description of the DLP sensor.

DLP Log Enable if you want a log entry when data matches the configured patterns.

Rules Create or edit DLP filter rules. See Create or edit a DLP filter rule on page 291.

To create a DLP sensor:

1. Go to Security Profiles > Data Leak Prevention and click Create New. The New DLP Sensor window opens.
2. Enter a name for the new sensor in the Name field and, optionally, enter a description of the sensor in the
Comments field.
3. Enable DLP Log if you want a log entry when data matches the configured patterns.
4. Add DLP filter rules to the sensor. See Create or edit a DLP filter rule on page 291.
5. Click OK to create the new sensor.

FortiProxy 7.0 Administration Guide 289

Fortinet Inc.
Security Profiles

To edit a DLP sensor:

1. Go to Security Profiles > Data Leak Prevention.

2. Select a DLP sensor and then click Edit. The Edit DLP Sensor window opens.
3. Edit the DLP sensor name and comments as required.
4. Enable or disable DLP Log.
5. Edit, create, or delete DLP filter rules as required. See Create or edit a DLP filter rule on page 291.
6. Click OK to save your changes.

DLP archiving

DLP is typically used to prevent sensitive information from getting out of your company network, but it can also be used
to record network use. This is called DLP archiving. The DLP engine examines email, FTP, NNTP, and web traffic.
Enabling archiving for rules when you add them to sensors directs the FortiProxy unit to record all occurrences of these
traffic types when they are detected by the sensor.
Because the archive setting is configured for each rule in a sensor, you can have a single sensor that archives only the
things you want.
You can archive Email, FTP, HTTP, and session control content:
l Email content includes IMAP, POP3, and SMTP sessions. Email content can also include email messages tagged
as spam by Email filtering. If your unit supports SSL content scanning and inspection, email content can also
include IMAPS, POP3S, and SMTPS sessions.
l HTTP content includes HTTP sessions. If your unit supports SSL content scanning and inspection HTTP content
can also include HTTPS sessions.
DLP archives are saved to a FortiAnalyzer unit or the FortiGuard Analysis and Management Service (subscription
required).
You can use DLP archiving to collect and view historical logs that have been archived to a FortiAnalyzer unit or the
FortiGuard Analysis and Management Service. DLP archiving is available for FortiAnalyzer when you add a
FortiAnalyzer unit to the Fortinet configuration. The FortiGuard Analysis server becomes available when you subscribe
to the FortiGuard Analysis and Management Service.
Two sample DLP sensors are provided with DLP archiving capabilities enabled. If you select the Content_Summary
sensor in a security policy, it will save a summary DLP archive of all traffic the security policy handles. Similarly, the
Content_Archive sensor will save a full DLP archive of all traffic handled the security policy you apply it to. These two
sensors are configured to detect all traffic of the supported types and archive them.
NOTE: You can see these sensors in the GUI but the configuration is only visible through the CLI; DLP archiving is set in
the CLI only.

To enable the DLP archiving:

config dlp sensor

edit <name of sensor>
set summary-proto smtp pop3 imap http-get http-post ftp nntp mapi cifs
next
end

FortiProxy 7.0 Administration Guide 290

Fortinet Inc.
 Security Profiles

Create or edit a DLP filter rule

Each DLP sensor must have one or more DLP filter rules configured within it. Filters can examine traffic for the following:
l Known files using DLP fingerprints
l Files of a particular name or type
l Files larger than a specified size
l Data matching a specified regular expression
l Traffic matching an advanced or compound rule
File filters allow you to block files based on their file names and types. When a file filter list is applied to a DLP sensor
filter, the network traffic is examined against the list entries, and, if the sensor filter is triggered, the predefined action is
taken by the DLP sensor filter.
The general steps for configuring filters are as follows:
1. Create a DLP sensor.
2. Add DLP filter rules to filter either messages or specific file types.
3. Select the DLP sensor in a security policy.

To create a DLP filter rule in the GUI:

Select Create New to open the Create New Dlp Filter Rule window.

To open the Edit Dlp Filter Rule window, select a filter and then click Edit.
Configure the following settings in the Create New Dlp Filter Rule window or the Edit Dlp Filter Rule window and then
click OK.

Name Enter a name for the DLP filter rule.

FortiProxy 7.0 Administration Guide 291

Fortinet Inc.
Security Profiles

Severity Select a severity for the DLP filter rule: Information, Low, Medium, High, or
Critical.

Type Select File or message to filter based on file attributes or to filter for specific
messages.

Filter By Select the filter from the drop-down list.

Regular Expression Enter the pattern that network traffic is examined for. See Regular expressions on
page 296.

File Pattern Select or create a DLP file pattern. See File types on page 296.

File Size Enter the maximum file size in kilobytes. See File size on page 294.

Company Identifier Enter the company identifier. The company identifier is to make sure that you are
only blocking watermarks that your company has placed on the files, not
watermarks with the same name by other companies. See Watermarking on page
296.

Protocols Select one or more protocols that the filter will examine. This allows resources to
be optimized by only examining relevant traffic. The available protocols are
HTTP-POST, IMAP, MAPI, NNTP, POP3, and SMTP.

Action Select an action to take if the filter is triggered. Available actions are Allow, Log
Only, Block, and Quarantine IP Address.

Allow No action is taken when the filter is triggered.

Log Only When the filter is triggered, the match is logged, but no other action is taken.

Block Traffic matching the filter is blocked and replaced with a replacement message.
See Replacement Messages on page 430.

Quarantine IP Address Block access for any IP address that sends traffic matching the filter. The IP
address is added to the banned user list, and an appropriate replacement
message is sent for all connection attempts until the quarantine time expires.
Enter the amount of time that the IP address will be quarantined for (>= 1 minute).

Basic DLP filter types

You can configure four basic filter types:

l File types
l File size
l Regular expression
l Credit card and SSN

File type and name

A file type filter allows you to block, allow, log, or quarantine based on the file type specified in the file filter list.

FortiProxy 7.0 Administration Guide 292

Fortinet Inc.
Security Profiles

To configure file type and name filtering using the CLI:

1. Create a file pattern to filter files based on the file name patter or file type:
config dlp filepattern
edit <filepattern_entry_integer>
set name <string>
config entries
edit <file pattern>
set filter-type <type | pattern>
set file-type <file type>
next
end
next
end

For example, to filter for GIFs and PDFs:

config dlp filepattern
edit 11
set name “sample_config”
config entries
edit "*.gif"
set filter-type pattern
next
edit "pdf"
set filter-type type
set file-type pdf
next
end
next
end
2. Attach the file pattern to a DLP sensor, and specify the protocols and actions:
config dlp sensor
edit <string>
config filter
edit <integer>
set name <string>
set proto {smtp | pop3 | imap | http-get | http-post | ftp | nntp | mapi}
set filter-by file-type
set file-type 1 <-- Previously configured file pattern
set action {allow | log-only| block | quarantine-ip}
next
end
next
end

To configure file type and name filtering using the GUI:

1. Go to Security Profiles > Data Leak Prevention.

2. Click Create New. The New DLP Sensor window opens.
3. Click Create New in the Rules table. The Create New Dlp Filter Rule window opens.
4. Set Type to File and select Match a DLP File Pattern.
5. Select or create a file pattern. See Create or edit a DLP file pattern on page 298.
6. Click + and select one or more protocols from the side pane.

FortiProxy 7.0 Administration Guide 293

Fortinet Inc.
Security Profiles

7. Select the action.

8. Click OK to save the new filter.

File size

A file size filter checks for files that exceed the specific size, and performs the DLP sensor's configured action on them.

To configure file size filtering using the CLI:

config dlp sensor

edit <string>
config filter
edit <integer>
set name <string>
set proto {smtp | pop3 | imap | http-get | http-post | ftp | nntp | mapi}
set filter-by file-size <-- Match any file over with a size over the threshold
set file-type 1 <-- Previously configured file pattern
set action {allow | log-only| block | quarantine-ip}
next
end
next
end

To configure file size filtering using the GUI:

1. Go to Security Profiles > Data Leak Prevention.

2. Click Create New. The New DLP Sensor window opens.
3. Click Create New in the Rules table. The Create New Dlp Filter Rule window opens.
4. Set Type to File and select Match Any File Over Size.
5. Enter the maximum file size, in kilobytes, in the File Size field.
6. Click + and select one or more protocols from the side pane.
7. Select the action.
8. Select one of and then click OK.

Regular expression

A regular expression filter is used to filter files or messages based on the configured regular expression pattern.

To configure regular expression filtering using the CLI:

config dlp sensor

edit <string>
config filter
edit <integer>
set name <string>
set type {file | message} <-- Check contents of a file or of messages, web pages,
and so on
set proto {smtp | pop3 | imap | http-get | http-post | ftp | nntp | mapi}
set filter-by regexp <-- Use a regular expression to match content
set regexp <regexp> <-- Input a regular expression pattern
set action {allow | log-only| block | quarantine-ip}
next

FortiProxy 7.0 Administration Guide 294

Fortinet Inc.
Security Profiles

end
next
end

To configure regular expression filtering using the GUI:

1. Go to Security Profiles > Data Leak Prevention.

2. Click Create New. The New DLP Sensor page opens.
3. Click Create New in the Rules table. The Create New Dlp Filter Rule window opens.
4. For filtering regular expressions in files, set Type to File. For filtering in messages, set Type to message.
5. Select Match a Regular Expression.
6. Enter the regular expression string in the Regular Expression field.
7. Click + and select one or more protocols from the side pane.
8. Select the action.
9. Click OK.

Credit card and SSN

The credit card sensor can match the credit card number formats used by American Express, Mastercard, and Visa. It
can be used to filter files or messages.
The SSN sensor can be used to filter files or messages for Social Security Numbers.

To configure credit card or SSN filtering using the CLI:

config dlp sensor

edit <string>
config filter
edit <integer>
set name <string>
set type {file | message} <-- Check contents of a file, or of messages, web
pages, etc.
set proto {smtp | pop3 | imap | http-get | http-post | ftp | nntp | mapi}
set filter-by < credit-card | ssn > <-- Match credit cards or social security
numbers
set action {allow | log-only| block | quarantine-ip}
next
end
next
end

To configure credit card or SSN filtering using the GUI:

1. Go to Security Profiles > Data Leak Prevention.

2. Click Create New. The New DLP Sensor page opens.
3. Click Create New in the Rules table. The Create New Dlp Filter Rule window opens.
4. For filtering in files, set Type to File. For filtering in messages, set Type to message.
5. Select Match Credit Card Numbers or Match Social Security Numbers.
6. Click + and select one or more protocols from the side pane.

FortiProxy 7.0 Administration Guide 295

Fortinet Inc.
Security Profiles

7. Select the action.

8. Click OK.

Regular expressions

Network traffic is examined for the pattern described by the regular expression specified in the DLP sensor filters.
Fortinet uses a variation of the Perl Compatible Regular Expressions (PCRE) library. For some examples of Perl
expressions, see Perl regular expressions on page 480. For more information about using Perl regular expressions, go
to http://perldoc.perl.org/perlretut.html.
By adding multiple filters containing regular expressions to a sensor, a dictionary can be developed within the sensor.
The filters can include expressions that accommodate complex variations of words or target phrases. Within the
sensors, each expression can be assigned a different action, allowing for a very granular implementation.

File types

Archive (7z) Encoded Data (binhex) Packer (aspack)

Archive (arj) Encoded Data (mime) Packer (fsg)
Archive (bzip) Encoded Data (uue) Packer (petite)
Archive (bzip2) Executable (elf) Packer (upx)
Archive (cab) Executable (exe) PalmOS Application (prc)
Archive (gzip) GIF Image (gif) PDF (pdf)
Archive (lzh) HTML Application (hta) PNG Image (png)
Archive (rar) HTML File (html) Real Media Streaming (rm)
Archive (tar) Ignored File Type (ignored) Symbian Installer System File (sis)
Archive (xz) Java Application Descriptor (jad) TIFF Image (tiff)
Archive (zip) Java Class File (class) Torrent (torrent)
Audio (avi) Java Compiled Bytecode (cod) Unknown File Type (unknown)
Audio (mp3) JavaScript File (javascript) Video (mov)
Audio (wav) JPEG Image (jpeg) Video (mpeg)
Audio (wma) Microsoft Active Mime Object Windows Help File (hlp)
Batch File (bat) (activemime) Windows Installer Package (msi)
BMP Image (bmp) Microsoft Office (msoffice)
Common Console Document Microsoft Office (msofficex)
(msc)
Encoded Data (base64)

Watermarking

Watermarking is essentially marking files with a digital pattern to mark the file as being proprietary to a specific company.
Fortinet provides a Linux-based utility that applies a digital watermark to files. The utility adds a small (approximately 100
bytes) pattern to the file that is recognized by the DLP watermark filter. The pattern is invisible to the end user.

FortiProxy 7.0 Administration Guide 296

Fortinet Inc.
Security Profiles

When watermarking a file, verify that the pattern matches a category found on the FortiProxy firewall. For example, if you
are going to watermark a file with the sensitivity level of “Secret” you should verify that “Secret” is a sensitivity level that
has been assigned in the FortiProxy unit.

Company identifier and sensitivity

The company identifier is to make sure that you are only blocking watermarks that your company has placed on the files,
not watermarks with the same name by other companies.
If you are using watermarking on your files, you can use the watermark sensitivity filter to check for watermarks that
correspond to sensitivity categories that you have set up.

Software versions

Before planning on using watermarking software it is always best to verify that the software will work with your OS.
Currently, the only utility available to watermark files is a Linux-based command line tool. It is available for download
from the Fortinet Customer Service & Support website, with a valid support contract and access to the site. To access
the file:
1. Sign into the Fortinet Customer Service & Support website.
2. Go to https://support.fortinet.com/Download/FirmwareImages.aspx.
3. Navigate to the image file path for WATERMARK.
4. Download the fortinet-watermark-linux.out file.

File types

The watermark utility does not work with every file type. The following file types are supported by the watermark tool: .txt;
.pdf; .doc; .xls; .ppt; .docx; pptx; and, .xlsx.

Syntax of the watermark utility

The tool is executed in a Linux environment by passing in files or directories of files to insert a watermark.
Usage:
watermark_linux_amd64 <options> -f <file name> -i <identifier> -l <sensitivity level>
watermark_linux_amd64 <options> -d <directory> -i <identifier> -l <sensitivity level>

Options:
-h print help
-I inplace watermarking (do not copy file)
-o output file (or directory in directory mode)
-e encode <to non-readable>
-i add watermark identifier
-l add watermark sensitivity level
-D delete watermark identifier
-L delete watermark sensitivity level

FortiProxy 7.0 Administration Guide 297

Fortinet Inc.
 Security Profiles

DLP File Pattern

DLP file patterns match selected file types and file patterns. They are used as DLP filter rules in DLP sensors.
To view available DLP file patterns, go to Security Profiles > DLP File Pattern.

Hover over the leftmost edge of the column heading to display the Configure Table icon, which you can use to select the
columns to display or to reset all the columns to their default settings. You can also drag column headings to change
their order.
The following options are available:

Create New Create a DLP file pattern. See Create or edit a DLP file pattern on page 298.

Edit Modify the selected DLP file pattern. See Create or edit a DLP file pattern on page
298.

Delete Remove the selected DLP file pattern.

ID Identifier for the DLP file pattern.

Name The name of the DLP file pattern.

Comments An optional description of the DLP file pattern.

Ref. Displays the number of times the object is referenced to other objects.
To view the location of the referenced object, select the number in Ref.; the Object
Usage window opens and displays the various locations of the referenced object.

Create or edit a DLP file pattern

You can create or edit DLP file patterns.

To create a DLP file pattern:

1. Go to Security Profiles > DLP File Pattern.

2. Click Create New. The Create DLP File Pattern window opens.
3. Enter an identifier for the DLP file pattern.
4. Enter a name for the DLP file pattern.
5. Enter an optional description of the DLP file pattern.
6. Select one or more file types.
7. Enter one or more file patterns.
8. Click OK to save the DLP file pattern.

FortiProxy 7.0 Administration Guide 298

Fortinet Inc.
Security Profiles

To edit a DLP file pattern:

1. Go to Security Profiles > DLP File Pattern.

2. Select a DLP file pattern and then click Edit.
3. Edit the settings as required.
4. Click OK to save your changes to the DLP file pattern.

FortiProxy 7.0 Administration Guide 299

Fortinet Inc.
Content Analyses

Content Analysis Service is an automated computer vision AI that detects visual threats including pornography,
extremism, and graphic violence. Content Analysis empowers your application with AI content moderation that
recognizes threats in images.
Internet Content Adaptation Protocol (ICAP) allows for the offloading of certain processes to a separate server so that
your FortiProxy firewall can optimize its resources and maintain the best level of performance possible.
This section covers the following topics:
l Image Analysis on page 300
l ICAP Profile on page 303
l ICAP Remote Server on page 306
l ICAP Load Balancing on page 309
l ICAP Local Server on page 310
l ICAP scanning with FTP on page 312

Image Analysis

Content Analysis is a licensed feature, powered by AI that detects visual threats including pornography, extremism,
graphic violence, and other inappropriate Not Safe for Work (NSFW) visual content. This service is a real-time analysis
of the content passing through the FortiProxy unit. The Content Analysis Service uses advanced artificial intelligence
that delivers unparalleled accuracy with near zero false positives, all in a matter of milliseconds. After inappropriate
NSFW content is detected, such content can be optionally blocked or reported. Unlike early heuristic-based technologies
the AI-powered Content Analysis Service has been extensively trained and developed, and more NSFW-relevant Threat
Categories are being added as they become available.
In general, the procedure is similar to the HTTP antivirus scanning procedure.
When a client HTTP requests an image, the HTTP header content-type determines the image type. Then the WAD
process holds the image content from the server for scanning before sending it to the client.
If the scan results are larger than the configurable threshold, the requested image is blocked, and the client receives a
replacement image. This replacement image keeps the same image type and size if you enable the option to re-size
images. The FortiProxy unit stores the results to improve performance for future requests.
The default settings provide a good balance, but they might require some adjustment in some instances.
To use Content Analysis, you need to set up at least one profile and apply it to a policy. Content Analysis profiles are
configured under Content Analyses > Image Analyses.

FortiProxy 7.0 Administration Guide 300

Fortinet Inc.
 Content Analyses

Hover over the leftmost edge of the column heading to display the Configure Table icon, which you can use to select the
columns to display or to reset all the columns to their default settings. You can also drag column headings to change
their order.
The following options are available:

Create New Create a Content Analysis profile. See Create or edit an Image Analysis profile on
page 301.

Edit Modify the selected Content Analysis profile. See Create or edit an Image
Analysis profile on page 301.

Delete Remove the selected Content Analysis profile.

Name The name of the Content Analysis profile.

Image Skip Size Enter a value between 0 and 2,048.

This value represents the size of image that will be skipped by the image scan
unit, in kilobytes. Images that are too small are difficult to scan and are more likely
to be rated incorrectly by the image scan engine.
The default value is 1.

Rating Error Action Set to either Pass or Block the image when it exceeds the rating threshold. The
default is Pass.

Comments An optional description of the Content Analysis profile.

Ref. Displays the number of times the object is referenced to other objects.
To view the location of the referenced object, select the number in Ref.; the Object
Usage window opens and displays the various locations of the referenced object.

Validating Content Analysis

You can use the following debug commands to validate the service licensing and image cache:
get system fortiguard—Display licensing information.
diagnose test application wad 143—Display image cache.
diagnose test application wad 144—Clear image cache.
You need a license to display and clear the image cache; otherwise, these commands are not available.

Create or edit an Image Analysis profile

Select Create New to open the Create Image Analysis Profile window.
To open the Edit Image Analysis Profile window, select a profile and then click Edit.
Configure the following settings and then click OK:

Name Enter a name for this profile.

FortiProxy 7.0 Administration Guide 301

Fortinet Inc.
Content Analyses

Comments Optional description of the profile.

Image Skip Size Enter a value between 0 and 2,048.

This value represents the image size that will be skipped by the image scan unit,
in kilobytes. Images that are too small are difficult to scan and are more likely to
be rated incorrectly by the image scan engine.
The default value is 1.

Image Skip Width This value represents the image width that will be skipped by the image scan unit,
in pixels. Images that are too small are difficult to scan and are more likely to be
rated incorrectly by the image scan engine.
The default value is 30 pixels; the minimum value is 5 pixels.

Image Skip Height This value represents the image height that will be skipped by the image scan
unit, in pixels. Images that are too small are difficult to scan and are more likely to
be rated incorrectly by the image scan engine.
The default value is 30 pixels; the minimum value is 5 pixels.

Rating Error Action Set to either Pass or Block the image when it exceeds the rating threshold.
The default is Pass.

Replace Image Select a replacement image. NOTE: The file type must be .jpeg.
To specify the replacement image, go to System > Replacement Messages and
select Manage Images.

Log Option Select All to log all content or Violation to log content that exceeds any of the
strictness levels.

Saving Blocked Images Enable to save blocked images.

Block Strictness Level For each category, select to Allow, Deny, or Monitor content that exceeds the
strictness level, and set the level between 0 and 100.
The higher the image score, the more chance of the image being explicit. The
challenge with this setting is that if you set it too high, it will block legitimate
images. If you set it too low, it will allow explicit images through. If the image score
is above this setting, the Rating Error Action is taken.
The default value is 30.

Alcohol The alcohol category is designed to identify images containing alcoholic brands
and beverages, people drinking alcohol, frat parties, keg stands, bars and
nightclubs, party aftermaths, shots, beer pong, kegs, and plastic cups associated
with drinking.

Drugs The drugs category is designed to identify images containing illegal and legal
drugs, drug use, drug paraphernalia, and plants and symbols relating to drugs.

Extremism The extremism category is designed to identify images containing terrorist

militants, beheadings, executions, propaganda, acts of terrorism, KKK rallies,
Hitler, insignia related to Nazism, KKK, ISIS, and white supremacy icons.

Gambling The gambling category is designed to identify images containing gambling.

FortiProxy 7.0 Administration Guide 302

Fortinet Inc.
Content Analyses

Gore The gore or graphic violence category is designed to identify images containing
gore, graphic violence, self-harm, suicide, horrific imagery, bloody wounds,
accident victims, shooting victims, beatings, mutilation, decapitation, and images
that contain blood and guts.

Porn The pornography category is designed to identify images and videos containing
commercial pornography, amateur pornography, sexting selfies, nudity, sex acts,
grayscale pornographic images, sexually explicit cartoons, and manga.

Swim Underwear The swim and underwear, or risqué, category is designed to identify images
containing people wearing swimwear or beachwear, underwear, and lingerie.

Weapons The weapons category is designed to identify images containing rifles, machine
guns, handguns, grenade launchers, swords, knives, and people holding
handheld weapons.

ICAP Profile

Internet Content Adaptation Protocol (ICAP) is an application layer protocol that is used to offload tasks from the firewall
to separate, specialized servers. For more information see RFC 3507.
If you enable ICAP in a policy, HTTP and HTTPS (if HTTPS inspection is supported) traffic that is intercepted by the
policy is transferred to the ICAP server specified by the selected ICAP profile. Responses from the ICAP server are
returned to the FortiProxy, and then forwarded to their destination

By default, ICAP is not visible in the GUI. See Feature Visibility on page 444 for instructions on
making it visible.

The ICAP Profile page allows you to view and configure ICAP profiles, which you can then apply to a policy.
If you enable ICAP in a security policy, HTTP traffic intercepted by the policy is transferred to the ICAP servers in the
ICAP profile added to the policy. The FortiProxy unit acts as the surrogate and carries the ICAP responses from the
ICAP server to the ICAP client. The ICAP client then responds back, and the FortiProxy unit determines the action that
should be taken with these ICAP responses and requests.
You can configure ICAP profiles under Content Analyses > ICAP Profile.

FortiProxy 7.0 Administration Guide 303

Fortinet Inc.
 Content Analyses

Hover over the leftmost edge of the column heading to display the Configure Table icon, which you can use to select the
columns to display or to reset all the columns to their default settings. You can also drag column headings to change
their order.
The following options are available:

Create New Create an ICAP profile. See Create or edit an ICAP profile on page 304.

Edit Edit an ICAP profile. See Create or edit an ICAP profile on page 304.

Delete Delete a profile or profiles.

Name The name of the ICAP profile.

Request Whether request processing is enabled or disabled.

Response Whether response processing is enabled or disabled.

Streaming Content Bypass Whether streaming media is allowed (enabled) to ignore offloading to the ICAP
server.

Ref. Displays the number of times the object is referenced to other objects.
To view the location of the referenced object, select the number in Ref.; the Object
Usage window opens and displays the various locations of the referenced object.

Create or edit an ICAP profile

Select Create New to open the New ICAP Profile window.

To open the Edit ICAP Profile window, select an ICAP profile and then click Edit.
Configure the following settings in the New ICAP Profile window or Edit ICAP Profile window and then click OK:

Name Specify a name for the ICAP profile. After you create an ICAP profile, you cannot
change the name.

Request Processing Enable or disable request processing.

FortiProxy 7.0 Administration Guide 304

Fortinet Inc.
Content Analyses

If you enable request processing, select a server from the drop-down menu,
specify the path on the server to the processing component, and then select the
behavior on failure, either Error or Bypass.

Response Processing Enable or disable response processing.

If you enable response processing, select a server from the drop-down menu,
specify the path on the server to the processing component, and then select the
behavior on failure, either Error or Bypass.

Streaming Media Bypass Enable to allow streaming media to ignore offloading to the ICAP server.

TCP connection pool for connections to ICAP server

Starting in FortiProxy 7.0.0, a TCP connection pool can maintain local-out TCP connections to the external ICAP server
due to a backend update in the FortiProxy unit. TCP connections will not be terminated once data has been exchanged
with the ICAP server, but instead are reused in the next ICAP session to maximize efficiency.

Use case

In this scenario, an ICAP profile is used as a UTM profile in an explicit web proxy policy, and a client visits web servers
through this proxy policy.
After the WAD is initialized, when a HTTP request is sent from the client to the server through the FortiProxy unit with an
ICAP profile applied to the matched proxy policy, a TCP connection is established between the FortiProxy unit and the
ICAP server to exchange data.
When an ICAP session is finished, the TCP connection is kept in the WAD connection pool. When another ICAP session
needs to be established, the WAD will check if there are any idle connections available in the connection pool. If an idle
connection is available, it will be reused; otherwise, a new TCP connection is established for the ICAP session. This
process can be checked in the WAD debug log.

ICAP server response extension headers

ICAP server responses can be configured to include X-Virus-ID, X-Infection-Found, and X-Violation-Found extension
headers.
config icap local-server
edit 1
config icap-service
edit 1
set extension-headers {X-Virus-id X-Infection-Found X-Violation-Found}
next
end
next
end

X-Virus-id Enable X-Virus-ID ICAP extension header.

X-Infection-Found Enable X-Infection-Found ICAP extension header.
X-Violation-Found Enable X-Violation-Found ICAP extension header.

FortiProxy 7.0 Administration Guide 305

Fortinet Inc.
Content Analyses

X-Scan-Progress-Interval header in the FortiProxy ICAP client

You can specify that the X-Scan-Progress-Interval header is used in the FortiProxy ICAP client and specify the scan
progress interval value:
config icap profile
edit <profile_name>
set response {enable | disable}
set response-server <name_of_ICAP_server>
set response-path <HTTP_response_processing_service>
set extension-feature scan-progress
set scan-progress-interval <5-30 seconds (default = 10)>
next
end

Timeout configuration for the FortiProxy ICAP client

You can configure the number of seconds that the ICAP client waits for a response from the ICAP server:
config icap profile
edit <profile_name>
set timeout <30-3600 seconds (default = 30)>
next
end

ICAP Remote Server

To view the list of ICAP remote servers, go to Content Analyses > ICAP Remote Servers.

Hover over the leftmost edge of the column heading to display the Configure Table icon, which you can use to select the
columns to display or to reset all the columns to their default settings. You can also drag column headings to change
their order.
The following options are available:

Create New Create an ICAP remote server. See Create or edit an ICAP remote server on
page 307.

Edit Edit an ICAP remote server. See Create or edit an ICAP remote server on page
307.

Delete Delete an ICAP remote server or servers.

Name The name of the ICAP remote server.

Address The IP address of the ICAP remote server.

FortiProxy 7.0 Administration Guide 306

Fortinet Inc.
 Content Analyses

Port The port number that the ICAP remote server is using.

Health Check Indicates whether health check is enabled or disabled for the ICAP remote server.

Status Health status of the ICAP remote server, which can be Online, Offline, or
Unknown.

Ref. Displays the number of times the object is referenced to other objects.
To view the location of the referenced object, select the number in Ref.; the Object
Usage window opens and displays the various locations of the referenced object.

The health check options are added in FortiProxy 7.0.9.

Create or edit an ICAP remote server

Select Create New to open the New ICAP Remote Server window.

To open the Edit ICAP Remote Server window, select a server and then click Edit.
Configure the following settings in the New ICAP Remote Server window or Edit ICAP Remote Server window and then
click OK:

Name Enter a name for the ICAP remote server. After you create an ICAP remote
server, you cannot change the name.

Address Type Select IPv4 or IPv6 Address or FQDN.

FortiProxy 7.0 Administration Guide 307

Fortinet Inc.
Content Analyses

IP Address/IPv6 Enter the IPv4 or IPv6 address or the Fully Qualified Domain Name
Address/FQDN (FQDN) for the ICAP remote server.

Plain ICAP Connection Enable or disable unsecure connection from the FortiProxy unit to the remote
ICAP server.

Secure ICAP Connection Enable or disable secure SSL connection from the FortiProxy unit to the remote
ICAP server.

Plain/Secure ICAP Port Enter the TCP port number used by the ICAP remote server, from 1 to 65,535.
The default is 1344.

Certificate Select the CA certificate. This option is available only if you enable Secure ICAP
Connection.

Max Connections Enter the maximum number of concurrent connections to the ICAP remote server.
Must not be less than wad-workercount. The default is 100. The valid value range
is 0-4294967295.
This option is available only if you enable Secure ICAP Connection.

Health Check Enable or disable ICAP remote server health checking. When enabled, FortiProxy
attempts to connect to the remote ICAP server to verify that the server is
operating normally and generates an event log each time the ICAP server health
check fails or goes back online. The default is disabled.

Health Check Service Enter the ICAP service name to use for health checks.

To configure an ICAP remote server via CLI:

config icap remote-sever

edit <server_name>
set addr-type [ip4|ip6|fqdn]
set ip-address {ipv4-address-any}
set ip6-address {ipv6-address}
set fqdn {string}
set port {integer}
set max-connections {integer}
set secure [disable|enable]
set ssl-cert {string}
set healthcheck [disable|enable]
set healthcheck-service {string}
next
end

The health check options are added in FortiProxy 7.0.9.

FortiProxy 7.0 Administration Guide 308

Fortinet Inc.
Content Analyses

ICAP Load Balancing

ICAP load balancing can be configure the balance the traffic load to ICAP servers based on assigned weights, send new
sessions to the ICAP server with the lowest session count, or send new sessions to the active ICAP server with the
highest weight.

To configure an ICAP load balancing in the GUI:

1. Go to Content Analyses > ICAP Load Balancing and click Create New.

2. Enter a name for the ICAP load-balancing configuration.

3. Select the load-balancing method:
l Weighted: Balance the traffic load to ICAP servers based on the assigned weights.
l Least Session: Send new sessions to the ICAP server with the lowest session count.
l Active Passive: Send new sessions to the active ICAP server with the highest weight.
4. To create a server list for load balancing:
a. Click Create New in the Set up Server List for Load Balance table.
b. Select or create a remote server. See ICAP Remote Server on page 306 for information.
c. Enter a weight for the remote server.
d. Click OK.
e. Add more servers as required.
5. Click OK.

To configure an ICAP load balancing in the CLI:

config icap remote-server-group

edit <name>
set ldb-method {weighted | least-session | active-passive}
config server-list
edit <ICAP_remote_server>
set weight <integer>
next
end
next
end

FortiProxy 7.0 Administration Guide 309

Fortinet Inc.
 Content Analyses

ICAP Local Server

To view the list of ICAP local servers, go to Content Analyses> ICAP Local Servers.

Hover over the leftmost edge of the column heading to display the Configure Table icon, which you can use to select the
columns to display or to reset all the columns to their default settings. You can also drag column headings to change
their order.
The following options are available:

Create New Create an ICAP local server. See Create or edit an ICAP local server on page
310.

Edit Edit an ICAP local server. See Create or edit an ICAP local server on page 310.

Delete Delete an ICAP local server or servers.

ID The identifier for the ICAP local server.

Status Whether the server is active.

Interfaces The interface that the ICAP local server will use.

Incoming IP The IP address that the ICAP local server will use.

Original Address The original address.

Create or edit an ICAP local server

Select Create New to open the New ICAP Local Server window.

FortiProxy 7.0 Administration Guide 310

Fortinet Inc.
Content Analyses

To open the Edit ICAP Local Server window, select a server and then click Edit.
Configure the following settings in the New ICAP Local Server window or Edit ICAP Local Server window and then click
OK:

Status Enable or disable this ICAP local server.

Interfaces Select an interface for the ICAP local server to use.

Incoming IP Enter an IP address for the ICAP local server to use.

Original Address Select the original address.

Create New Create an ICAP service. See Create or edit an ICAP service on page 312.

Edit Edit an ICAP service. See Create or edit an ICAP service on page 312.

Delete Delete an ICAP service.

ID The identifier for the ICAP service.

Name The name of the ICAP service.

DLP Sensor The DLP sensor used by the ICAP service.

Webfilter Profile The web filter profile used by the ICAP service.

AV Profile The antivirus profile used by the ICAP service.

FortiProxy 7.0 Administration Guide 311

Fortinet Inc.
 Content Analyses

Create or edit an ICAP service

Select Create New to open the New ICAP Service window.

To open the Edit ICAP Service window, select an ICAP service and then click Edit.
Configure the following settings in the New ICAP Service window or Edit ICAP Service window and then click OK:

Name Enter the name of the ICAP service.

DLP Sensor Select the DLP sensor that the ICAP service will use. See Create or edit a DLP
sensor on page 289.

Webfilter Profile Select the web filter profile that the ICAP service will use. See Create or edit a
web filter profile on page 231.

AV Profile Select the antivirus profile that the ICAP service will use. See Create or edit an
antivirus profile on page 224.

ICAP scanning with FTP

Transferred files can be forwarded to the ICAP server for further processing using FTP.
1. Configure an ICAP remote server. See ICAP Remote Server on page 306 for more information.
2. Create an ICAP profile that references the server. See ICAP Profile on page 303 for more information.
3. Create an explicit FTP proxy policy that uses the ICAP profile.

Explicit FTP proxy must be enabled and configured before an explicit FTP proxy policy can be
configured. See FTP Proxy on page 69 for information.

FortiProxy 7.0 Administration Guide 312

Fortinet Inc.
Content Analyses

To configure ICAP scanning with FTP in the GUI:

1. Configure an ICAP remote server:

a. Go to Content Analyses > ICAP Remote Server and click Create New.
b. Set the server Name, such as icap1.
c. Set the IP address, such as 172.18.20.43.

d. Configure the remaining settings as required.

e. Click OK.
2. Create an ICAP profile:
a. Go to Content Analyses > ICAP Profile and click Create New.
b. Set the profile Name, such as icapFTP.
c. In the FTP section:
i. Set Protocol to FTP.
ii. Set Server to icap1.
iii. Set On failure as required.
iv. Set Path to the path of the FTP service.

d. Configure the remaining settings as required.

e. Click OK.
3. Create an explicit FTP proxy policy:

The ICAP profile can only be applied to the policy in the CLI.

FortiProxy 7.0 Administration Guide 313

Fortinet Inc.
Content Analyses

a. Go to Policy & Objects > Policy and click Create New.

b. Set Type to FTP.
c. Set the policy Name, such as icapFTPpolicy.
d. Set the Outgoing Interface, Source, Destination, Schedule, and the SSL/SSH Inspection method.
e. Configure the remaining settings as required.
f. Click OK.
g. Edit the policy and click Edit in CLI in the right sidebar to enable the UTM status and set the ICAP profile.

To configure ICAP scanning with FTP in the CLI:

1. Configure an ICAP remote server:

config icap remote-server
edit "icap1"
set ip-address 172.18.20.43
next
end

2. Create an ICAP profile:

config icap profile
edit "icapFTP"
set file-transfer ftp
set file-transfer-server "icap1"
set file-transfer-failure error
set file-transfer-path "ftpicap"
next
end

3. Create an explicit FTP proxy policy:

config firewall policy
edit 1
set type explicit-ftp
set name "test"
set dstintf "any"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set ssl-ssh-profile "certificate-inspection"
set utm-status enable
set icap-profile "icapFTP"
next
end

FortiProxy 7.0 Administration Guide 314

Fortinet Inc.
WAN Optimization

You can add WAN optimization to improve traffic performance and efficiency as it crosses the WAN. For more
information about WAN optimization, see WAN optimization on page 20.
Starting in FortiProxy 7.0.0, the WAD traffic dispatcher now allows incoming traffic to be directly distributed to the
workers. This enhancement also allows source addresses to be exempt from proxy affinity, which allows traffic from the
same source and different server to be distributed to workers in a round-robin configuration. A maximum of 255 workers
is now supported.
This section describes the following:
l Profiles on page 315
l Peers on page 319
l Authentication Groups on page 320

Profiles

FortiProxy WAN optimization consists of a number of techniques that you can apply to improve the efficiency of
communication across your WAN. These techniques include the following:
l Protocol optimization—Protocol optimization can improve the efficiency of traffic that uses the CIFS, FTP, HTTP, or
MAPI protocol, as well as general TCP traffic.
l Byte caching—Byte caching caches files and other data on FortiProxy units to reduce the amount of data
transmitted across the WAN.
l Web caching—Web caching stores web pages on FortiProxy units to reduce latency and delays between the WAN
and web servers.
l SSL offloading—SSL offloading offloads SSL decryption and encryption from web servers onto FortiProxy SSL
acceleration hardware.
l Secure tunneling—Secure tunneling secures traffic as it crosses the WAN.
You can apply different combinations of these WAN optimization techniques to a single traffic stream depending on the
traffic type. For example, you can apply byte caching and secure tunneling to any TCP traffic. For HTTP and HTTPS
traffic, you can also apply protocol optimization and web caching.
You can view the list of WAN optimization profiles by going to WAN Optimization > Profiles and selecting the List icon
(the farthest right of the three icons in the upper right of the window; it resembles a page with some lines on it) in the Edit
WAN Optimization Profile page toolbar.

FortiProxy 7.0 Administration Guide 315

Fortinet Inc.
 WAN Optimization

Hover over the leftmost edge of the column heading to display the Configure Table icon, which you can use to select the
columns to display or to reset all the columns to their default settings. You can also drag column headings to change
their order.
The following options are available:

Create New Create a WAN optimization profile. See Create or edit a WAN optimization profile
on page 316.

Edit Modify the profile. See Create or edit a WAN optimization profile on page 316.

Delete Remove the profile.

Name The name of the WAN optimization profile.

Ports The ports used by the profile.

Transparent Whether the WAN optimization transparent mode is enabled.

For more information about the WAN optimization transparent mode, see WAN
optimization transparent mode on page 20.

Authentication Group The authentication group used by the profile, if any.

See Authentication Groups on page 320.

Comments Optional description of the WAN optimization profile.

Create or edit a WAN optimization profile

To configure WAN optimization profiles, go to WAN Optimization > Profiles. The Edit WAN Optimization Profile page is
displayed.

FortiProxy 7.0 Administration Guide 316

Fortinet Inc.
WAN Optimization

Configure the following settings and then select Apply to save your changes:

drop-down list Select a profile to edit from the drop-down list. See To create a WAN optimization
profile: on page 318.

Create New icon Create a WAN optimization profile. See To edit a WAN optimization profile: on
page 318.

Clone icon Clone the current profile. See To clone a WAN optimization profile: on page 318.

List icon View the WAN optimization profile list. See Profiles on page 315.

Name Enter a name for the WAN optimization profile.

Comments Optionally, enter a description of the profile.

Transparent Mode Enable or disable transparent mode.

For more information about the WAN optimization transparent mode, see WAN
optimization transparent mode on page 20.

FortiProxy 7.0 Administration Guide 317

Fortinet Inc.
WAN Optimization

Authentication Group Enable to select the authentication group from the drop-down list that will be
applied to the WAN optimization profile. To create an authentication group, see
Create or edit an authentication group on page 321.

Protocol Select the protocols that are enabled for this profile: CIFS, FTP, HTTP, MAPI, and
TCP.
NOTE: The FortiProxy unit supports WAN optimization for SMBv1, SMBv2 and
SMBv3 (unencrypted only) protocols.

SSL Offloading Select to enable SSL offloading.

SSL offloading offloads SSL decryption and encryption from web servers onto
FortiProxy SSL acceleration hardware. It is only available for HTTP and TCP
protocols.

Secure Tunneling Select to enable secure tunneling.

To use secure tunneling, it must be enabled for a protocol, and an authentication
group must be added. The authentication group specifies the certificate or pre-
shared key used to set up the secure tunnel. The Peer Acceptance setting of the
authentication group does not affect secure tunneling.
The FortiProxy units at each end of the secure tunnel must have the same
authentication group with the same name and the same configuration, including
the same pre-shared key or certificate.

Byte Caching Select to enable byte caching.

Byte caching breaks large units of application data (for example, a file being
downloaded from a web page) into small chunks of data, labeling each chunk of
data with a hash of the chunk and storing those chunks and their hashes in a
database. The database is stored on a WAN optimization storage device.

You can add, edit, clone, and delete WAN optimization profiles.

To create a WAN optimization profile:

1. From either the Edit WAN Optimization Profile page or the WAN optimization profile list, select Create New.
2. Enter the required information and then click OK to create the new WAN optimization profile.

To edit a WAN optimization profile:

1. From the Edit WAN Optimization Profile page, select the profile you need to edit from the profile drop-down list.
Alternatively, from the profile list, either select the profile you want to edit and then click Edit from the toolbar or
double-click on the profile name in the list. The Edit WAN Optimization Profile page opens.
2. Edit the information as required and then select Apply to apply your changes.

To clone a WAN optimization profile:

1. From the Edit WAN Optimization Profile page, select the profile you need to clone from the profile drop-down list.
2. Select Clone from the toolbar.
3. Enter a name for the profile in the dialog box and then click OK.
4. Edit the clone as required.

FortiProxy 7.0 Administration Guide 318

Fortinet Inc.
WAN Optimization

To delete a profile or profiles:

1. From the profile list, select the profile or profiles that you want to delete.
2. Click Delete from the toolbar.
3. Click OK in the confirmation dialog box to delete the selected profile or profiles.

Peers

The client-side and server-side FortiProxy units are called WAN optimization peers because all of the FortiProxy units in
a WAN optimization network have the same peer relationship with each other. The client and server roles relate to how a
session is started. Any FortiProxy unit configured for WAN optimization can be both a client-side and a server-side
FortiProxy unit at the same time, depending on the direction of the traffic. Client-side FortiProxy units initiate WAN
optimization sessions, and server-side FortiProxy units respond to the session requests. Any FortiProxy unit can be a
client-side FortiProxy unit for some sessions and a server-side FortiProxy unit for others.
To identify all of the WAN optimization peers that a FortiProxy unit can perform WAN optimization with, host IDs and IP
addresses of all of the peers are added to the FortiProxy unit configuration. The peer IP address is actually the IP
address of the peer unit interface that communicates with the FortiProxy unit.
Go to WAN Optimization > Peer Settings to view the WAN optimization peer list.

Hover over the leftmost edge of the column heading to display the Configure Table icon, which you can use to select the
columns to display or to reset all the columns to their default settings. You can also drag column headings to change
their order.
The following options are available:

Create New Create a WAN optimization peer. See To create a WAN optimization peer: on
page 320.

Edit Edit a WAN optimization peer. See To create a WAN optimization peer: on page
320.

Delete Delete a WAN optimization peer or peers.

Search Enter a search term to search for in the peer list.

Local Host ID The local host identifier. Enter an identifier and then select Apply to apply the
identifier.

Peer Host ID The peer host identifier of the WAN optimization peer.

IP Address The IP address of the peer.

Ref. Displays the number of times the object is referenced to other objects.

FortiProxy 7.0 Administration Guide 319

Fortinet Inc.
 WAN Optimization

To view the location of the referenced object, select the number in Ref.; the Object
Usage window opens and displays the various locations of the referenced object.

Create or edit a WAN optimization peer

To create a WAN optimization peer:

1. From the peer list, select Create New in the toolbar.

The New WAN Optimization Peer window opens.

2. Enter the Peer Host ID and IP Address.

3. Click OK to create the new peer.

To edit a WAN optimization peer:

1. Select the peer that you want to edit in the peer list and then click Edit from the toolbar or double-click on the peer in
the peer list. The Edit WAN Optimization Peer window opens.
2. Edit the peer as required and click OK to apply your changes.

To delete a WAN optimization peer or peers:

1. Select the peer or peers that you want to delete in the peer list.
2. Click Delete from the toolbar.
3. Click OK in the confirmation dialog box to delete the selected peer or peers.

Authentication Groups

You need to add authentication groups to support authentication and secure tunneling between WAN optimization
peers.
To perform authentication, WAN optimization peers use a certificate or a pre-shared key added to an authentication
group, so they can identify each other before forming a WAN optimization tunnel. Both peers must have an
authentication group with the same name and settings. The authentication group is added to a peer-to-peer or active rule
on the client-side FortiProxy unit. When the server-side FortiProxy unit receives a tunnel start request that includes an
authentication group from the client-side unit, the server-side unit finds an authentication group in its configuration with

FortiProxy 7.0 Administration Guide 320

Fortinet Inc.
 WAN Optimization

the same name. If both authentication groups have the same certificate or pre-shared key, the peers can authenticate
and set up the tunnel.
Go to WAN Optimization > Authentication to manage the authentication groups.

Hover over the leftmost edge of the column heading to display the Configure Table icon, which you can use to select the
columns to display or to reset all the columns to their default settings. You can also drag column headings to change
their order.
The following options are available:

Create New Create an authentication group. See Create or edit an authentication group on
page 321.

Edit Edit an authentication group. See Create or edit an authentication group on page
321.

Delete Delete an authentication group or groups.

Search Enter a search term to search for in the group list.

Name The name of the authentication group.

Authentication Method The authentication used by the group, either Certificate or Pre-shared key.

Peer(s) The peer or peers in the authentication group.

Ref. Displays the number of times the object is referenced to other objects.
To view the location of the referenced object, select the number in Ref.; the Object
Usage window opens and displays the various locations of the referenced object.

Create or edit an authentication group

To create an authentication group:

1. Go to WAN Optimization > Authentication.

2. Select Create New from the toolbar.
The New Authentication Group window opens.

FortiProxy 7.0 Administration Guide 321

Fortinet Inc.
WAN Optimization

3. Enter the following information:

Name Enter a name for the authentication group.

Authentication Method Select the authentication method to use.

l Certificate: Use a certificate to authenticate and encrypt WAN

optimization tunnels. Then select a local certificate that has been added
to this FortiProxy unit from the drop-down list.
l Pre-shared Key: Use a pre-shared key or password to authenticate and
encrypt WAN optimization tunnels. Then enter the password (or pre-
shared key) in the Password field.
Other FortiProxy units that participate in WAN optimization tunnels with this
unit must have an authentication group with the same name and password.
The password must contain at least 6 printable characters and should be
known only by network administrators. For optimum protection against
currently known attacks, the key should consist of a minimum of 16
alphanumeric characters.

Certificate Select a local certificate from the drop-down list.

Pre-shared Key Enter the pre-shared key.

Accept Peer(s) Select the peer acceptance method for the authentication group.
l Any: If you do not know the peer host IDs or IP addresses of the peers

that will use this authentication group.

This setting is most often used for WAN optimization with FortiProxy units
that do not have static IP addresses, such as units that use DHCP.
l Defined Only: Authenticate with peers that have added to the peer list
only.
l Specify: Select a peer from the drop-down list to authenticate with the
selected peer only. Select Create New from the drop-down list to create a
peer; see Create or edit a WAN optimization peer on page 320.

4. Click OK to create the new authentication group.

The authentication group can now be added to WAN optimization profiles to apply the authentication settings in the
authentication group to the profile. See Create or edit a WAN optimization profile on page 316.

FortiProxy 7.0 Administration Guide 322

Fortinet Inc.
WAN Optimization

To edit an authentication group:

1. Go to WAN Optimization > Authentication.

2. Select the group you want to edit and then click Edit from the toolbar or double-click on the group in the
authentication group list.
The Edit Authentication Group window opens.
3. Edit the group information as required and click OK to apply your changes.

To delete an authentication group or groups:

1. Go to WAN Optimization > Authentication.

2. Select the group or groups that you want to delete.
3. Click Delete from the toolbar.
4. Click OK in the confirmation dialog box to delete the selected group or groups.

FortiProxy 7.0 Administration Guide 323

Fortinet Inc.
Web Cache

You can use web caching to cache web pages from any web server. All traffic between a client network and one or more
web servers is then intercepted by a web cache policy. This policy causes the FortiProxy unit to cache pages from the
web servers on the FortiProxy unit and makes the cached pages available to users on the client network. Web caching
can be configured for standard and reverse web caching.
In a standard web caching configuration, the FortiProxy unit caches pages for users on a client network. A router sends
HTTP traffic to be cached to the FortiProxy unit.
You can also create a reverse proxy web caching configuration where the FortiProxy unit is dedicated to providing web
caching for a single web server or server farm. In this second configuration, one or more FortiProxy units can be installed
between the server network, and the WAN or Internet or traffic to be cached can be routed to the FortiProxy units.
This section describes the following:
l Settings on page 324
l WCCP Settings on page 329
l User Agent on page 336
l Reverse Cache Server on page 338
l Prefetch URLs on page 339
l Prefetch File on page 341

Settings

You can optimize web cache settings to improve performance and exempt specific URL patterns from caching and/or
forward them to a web proxy server.
In most cases, the default settings for the WAN optimization web cache are acceptable. However, you might want to
change them to improve performance or optimize the cache for your configuration.
Go to Web Cache > Settings to configure web cache settings.

FortiProxy 7.0 Administration Guide 324

Fortinet Inc.
Web Cache

Configure the following settings and then select Apply to save your changes:

Always Revalidate Always re-validate requested cached objects with content on the server before
serving them to the client.

FortiProxy 7.0 Administration Guide 325

Fortinet Inc.
Web Cache

Max Cache Object Size The maximum size of objects (files) that are cached (the default is 512,000 KB).
Objects that are larger than this size are still delivered to the client but are not
stored in the FortiProxy web cache.

Negative Response Duration The amount of time, in minutes, that the FortiProxy unit caches error responses
from web servers (default is 0 minutes).
The content server might send a client error code (4xx HTTP response) or a
server error code (5xx HTTP response) as a response to some requests. If the
web cache is configured to cache these negative responses, it returns that
response in subsequent requests for that page or image for the specified number
of minutes, regardless of the actual object status.

Fresh Factor For cached objects that do not have an expiry time, the web cache periodically
checks the server to see if the objects have expired. The higher the fresh factor,
the less often the checks occur (default is 100%).
For example, if you set Max TTL and Default TTL to 7,200 minutes (5 days) and
set Fresh Factor to 20, the web cache checks the cached objects 5 times before
they expire, but, if you set the Fresh Factor to 100, the web cache will only check
once.

Max TTL The maximum amount of time (Time to Live), in minutes, an object can stay in the
web cache without the cache checking to see if it has expired on the server. From
1 to 5,256,000 minutes (one year) (default is 7,200 minutes).

Min TTL The minimum amount of time an object can stay in the web cache before the web
cache checks to see if it has expired on the server. From 1 to 5,256,000 minutes
(default is 5 minutes).

Default TTL The default expiry time for objects that do not have an expiry time set by the web
server. From 1 to 5,256,000 minutes (default is 1,440 minutes).

Proxy FQDN This setting cannot be changed from the default: default.fqdn.

Max HTTP request length This setting cannot be changed from the default: 4KB.

Max HTTP message length This setting cannot be changed from the default: 32KB.

Ignore

If-modified-since If the time specified by the if-modified-since (IMS) header in the clientʼs
conditional request is greater than the last modified time of the object in the
cache, it is a strong indication that the copy in the cache is stale. If so, HTTP does
a conditional GET to the original content source, based on the last modified time
of the cached object.
Enable ignoring if-modified-since to override this behavior.

HTTP 1.1 Conditionals HTTP 1.1 provides additional controls to the client for the behavior of caches
toward stale objects. Depending on various cache-control headers, the FortiProxy
unit can be forced to consult the OCS before serving the object from the cache.
For more information about the behavior of cache-control header values, see
RFC 2616.
Enable ignoring HTTP 1.1 conditionals to override this behavior.

FortiProxy 7.0 Administration Guide 326

Fortinet Inc.
 Web Cache

Pragma-no-cache Typically, if a client sends an HTTP GET request with a pragma no-cache (PNC)
or cache-control no-cache header, a cache must consult the OCS before serving
the content. This behavior means that the unit always re-fetches the entire object
from the OCS, even if the cached copy of the object is fresh.
Because of this behavior, PNC requests can degrade performance and increase
server-side bandwidth use.
Enable ignoring Pragma-no-cache so that the PNC header from the client request
is ignored. The FortiProxy unit treats the request as if the PNC header is not
present.

IE Reload Some versions of Internet Explorer issue Accept / header instead of Pragma no-
cache header when you select Refresh. When an Accept header has only the /
value, the FortiProxy unit treats it as a PNC header if it is a type-N object. Enable
ignoring IE reload to cause the FortiProxy unit to ignore the PNC interpretation of
the Accept / header.

Expiry Options

Cache Expired Objects Enable to cache expired type-1 objects (if all other conditions make the object
cacheable).

Revalidated Pragma-no-cache The PNC header in a request can affect how efficiently the device uses
bandwidth.
If you do not want to completely ignore PNC in client requests by selecting Ignore
> Pragma-no-cache, you can lower the impact on bandwidth usage with this
option.
When selected, a clientʼs nonconditional PNC-GET request results in a
conditional GET request sent to the OCS if the object is already in the cache. This
gives the OCS a chance to return the 304 Not Modified response, which
consumes less server-side bandwidth because the OCS has not been forced to
return full content.
By default, Revalidate Pragma-no-cache is disabled and is not affected by
changes in the top-level profile. When the Substitute Get for PNC configuration is
enabled, the revalidate PNC configuration has no effect.
Most download managers make byte-range requests with a PNC header. To
serve such requests from the cache, you need to also configure byte-range
support when you configure the Revalidate pragma-no-cache option.

HTTP traffic caching reports

Another way to review traffic caching is to generate top-entry reports with the following CLI commands:
config system global
set http-view {enable | disable}
end

After enabling top-entry reports, you can execute and generate six different kinds of reports, depending upon what
statistics you are interested in. Enter the following command:
execute http-view report {00 | 01 | 02 | 03 | 04 | 05}

Enter the two-digit value for the report that you want generated:

FortiProxy 7.0 Administration Guide 327

Fortinet Inc.
Web Cache

l 00: Top entries by total HTTP requests

l 01: Top entries by bandwidth consumed
l 02: Top entries by cacheable percent of total requests
l 03: Top entries by cache hit percent of total requests
l 04: Top entries by cache hit percent of cacheable requests
l 05: Top entries by bandwidth saved with cache hits
Each generated report shows the appropriate domain traffic within the last hour.

FortiProxy 7.0 Administration Guide 328

Fortinet Inc.
 Web Cache

WCCP Settings

WCCP can be used to provide web caching with load balancing and fault tolerance. In a WCCP configuration, a WCCP
server receives HTTP requests from users’ web browsers and redirects the requests to one or more WCCP clients. The
clients either return cached content or request new content from the destination web servers, before caching it and
returning it to the server. The server then returns the content to the original requester. If a WCCP configuration includes
multiple WCCP clients, the WCCP server balances traffic among the clients and can detect when a client fails and
redirects traffic to still operating clients. WCCP is described by the Web Cache Communication Protocol internet draft.

You can purge specific cached content with a CLI command. See Purging specific cached
content for details.

FortiProxy units operate as WCCP clients and support WCCPv2. FortiProxy units use UDP port 2048 for WCCP
communication, with user traffic encapsulated in GRE-mode or L2-mode.
This section describes the following:
l WCCP service groups, numbers, IDs, and well-known services on page 329
l WCCP configuration overview on page 330
l Example: Caching HTTP sessions on page 330
l WCCP packet flow on page 334
l Configure forward and return methods and adding authentication on page 334
l WCCP messages on page 335
l Troubleshooting WCCP on page 335

WCCP service groups, numbers, IDs, and well-known services

A FortiProxy unit configured as a WCCP client can include multiple client configurations. Each of these configurations is
called a WCCP service group. A service group consists of one or more FortiProxy units configured as WCCP servers (or
routers) and one or more FortiProxy WCCP clients working together to cache a specific type of traffic. The service group
configuration includes information about the type of traffic to be cached, the addresses of the WCCP clients and servers,
and other information about the service.
A service group is identified with a numeric WCCP service ID (or service number) in the range 0 to 255. All of the servers
and clients in the same WCCP service group must have service group configurations with the same WCCP service ID.
The value of the service ID provides some information about the type of traffic to be cached by the service group. Service
IDs in the range 0 to 50 are reserved for well-known services. A well-known service is any service that is defined by the
WCCP standard as being well known. Because the service is well known, you just need to specify the service ID to
identify the traffic to be cached.
Even though the well-known service ID range is 0 to 50, only one well known service has been defined. Its service ID is
0, which is used for caching HTTP (web) traffic.

FortiProxy 7.0 Administration Guide 329

Fortinet Inc.
 Web Cache

To configure WCCP to cache HTTP sessions, you can add a service group to the FortiProxy WCCP router and
FortiProxy WCCP clients with a service ID of 0. No other information about the type of traffic to cache needs to be added
to the service group.
Because service IDs 1 to 50 are reserved for well-known services and because these services are not defined yet, you
should not add service groups with IDs in the range 1 to 50.

FortiProxy allows you to add service groups with IDs between 1 and 50. However, because
these service groups have not been assigned as well-known services, they will not cache any
sessions. Service groups with IDs 51 to 255 allow you to set the port numbers and protocol
number of the traffic to be cached. So you can use service groups with IDs 51 to 255 to cache
different kinds of traffic based on port numbers and protocol number of the traffic. Service
groups 1 to 50 however, do not allow you to set port or protocol numbers, so they cannot be
used to cache any traffic.

To cache traffic other than HTTP traffic you must add service groups with IDs in the range 51 to 255. These service
group configurations must include the port numbers and protocol number of the traffic to be cached. It is the port and
protocol number configuration in the service group that determines what traffic will be cached by WCCP.

WCCP configuration overview

To configure WCCP, you must create a service group that includes FortiProxy units configured as WCCP servers and
FortiProxy units configured as WCCP clients. WCCP servers intercept sessions to be cached (for example, sessions
from users browsing the web from a private network). To intercept sessions to be cached, the WCCP server must
include a firewall policy that accepts sessions to be cached, and WCCP must be enabled in this firewall policy.
The server must have an interface configured for WCCP communication with WCCP clients. That interface sends and
receives encapsulated GRE or L2 traffic to and from WCCP clients. The server must also include a WCCP service group
that includes a service ID and the addresses of the WCCP clients, as well as other WCCP configuration options.
To use a FortiProxy unit as a WCCP client, you must configure an interface on the unit for WCCP communication. The
client sends and receives encapsulated GRE traffic to and from the WCCP server using this interface.
The client must also include a WCCP service group with a service ID that matches a service ID on the server. The client
service group also includes the IP address of the servers in the service group and specifies the port numbers and
protocol number of the sessions that will be cached on the FortiProxy unit.
When the client receives sessions from the server on its WCCP interface, it either returns cached content over the
WCCP interface or connects to the destination web servers using the appropriate interface, based on the client routing
configuration. Content received from web servers is then cached by the client and returned to the WCCP server over the
WCCP link. The server then returns the received content to the initial requesting user’s web browser.
Finally, you might also need to configure routing on the FortiProxy server unit and FortiProxy client units, and you might
need to add additional firewall policies to the server to accept sessions not cached by WCCP.

Example: Caching HTTP sessions

In this example configuration, a FortiProxy unit is operating as an Internet firewall for a private network. The port39
interface of the FortiProxy unit is connected to the Internet, and the port38 interface is connected to the internal network.

FortiProxy 7.0 Administration Guide 330

Fortinet Inc.
Web Cache

All HTTP traffic on port80 that is received at the port38 interface of the FortiProxy unit is accepted by a port39-to-port38
firewall policy with WCCP enabled. All other traffic received at the port2 interface is allowed to connect to the Internet by
adding a general port38-to-port39 firewall policy below the HTTP-on-port-80 firewall policy.
A WCCP service group is added to the FortiProxy unit with a service ID of 0 for caching HTTP traffic on port80. The port1
interface of the FortiProxy unit is configured for WCCP communication.
A FortiProxy unit connects to the Internet through the FortiProxy unit. To allow for this, a port1-to-port39 firewall policy is
added to the FortiProxy unit.
NOTE: The WCCP client can operate in L2 mode. The WCCP client firewall policy must specify which ingress interface
is receiving the L2-forwarded traffic. This is different from GRE-mode, which uses the w.root interface.

Configure the WCCP client

You can configure the WCCP client in the GUI or CLI.

To configure the FortiProxy unit as a WCCP client using the GUI:

1. Go to Network > Interfaces.

2. Select an interface and then click Edit. If there are no interfaces in the list, select Create New.
3. Move the slider for Enable WCCP Protocol to enable WCCP on this interface and Click OK to save your changes.
4. Go to Web Cache > WCCP Settings and select Create New.
5. Configure the following settings:

Server ID Enter the WCCP service group identifier.

Enter 90 for the example network.

Cache ID Enter the IP address that is known by all web cache routers.
Enter 10.51.101.10 for the example network.

Router List Enter the IP addresses of potential cache servers.

Enter 10.51.101.100 for the example network.

Authentication Enable or disable MD5 authentication.

Select Disable for the example network.

Cache Engine Method Select the method for forwarding traffic to the routers and for returning traffic to
the cache engine, either GRE or L2.
Select GRE or L2 for the example network.

Assignment Method Select the preferred assignment method for the hash key, either HASH or
MASK.
Select HASH or MASK for the example network.

6. Click OK to create the WCCP client.

To configure the FortiProxy unit as a WCCP client using the CLI:

Use the following steps to configure the FortiProxy unit as the WCCP client for the example network. The example steps
only describe the WCCP-related configuration.

FortiProxy 7.0 Administration Guide 331

Fortinet Inc.
Web Cache

1. Enable the L2 mode:

config system wccp
edit <Service-ID>
set cache-engine-method L2
next
end

2. Configure the FortiProxy unit to operate as a WCCP client:

config system settings
set wccp-cache-engine enable
end

You cannot enter the wccp-cache-engine enable command if you have already
added a WCCP service group. When you enter this command, an interface named w.root
is added to the FortiProxy configuration. All traffic redirected from a WCCP router is
considered to be received at this interface of the FortiProxy unit operating as a WCCP
client. A default route to this interface with lowest priority is added.

3. Enable WCCP on the aggregate interface aggr1:

config system interface
edit aggr1
set ip 192.168.1.2 255.255.255.0
set allowaccess ping https ssh snmp http telnet
set type aggregate
set explicit-web-proxy enable
set member port1 port4
set wccp enable
end

4. Add a WCCP service group with service ID 0:

config system wccp
edit 0
set router-list 192.168.1.2
set cache-id 192.168.1.1
end

5. Add a port-w.root-to-aggr1 firewall policy that accepts HTTP traffic on port80 and is configured for WCCP:
config firewall policy
edit 1
set srcintf w.root
set dstintf aggr1
set srcaddr all
set dstaddr all
set action accept
set schedule always
set service HTTP
set webcache enable
end

config firewall central-snat-map

edit 1
set masquerade enable
set srcintf w.root
set dstintf aggr1
set orig-addr "all"

FortiProxy 7.0 Administration Guide 332

Fortinet Inc.
Web Cache

set dst-addr "all"

next
end

NOTE: If the FortiProxy is operating in L2 mode, the firewall policy must specify the ingress interface where L2-
forwarded traffic is being received:
config firewall policy
edit 1
set srcintf <port x>
set dstintf <port y>
set srcaddr all
set dstaddr all
set action accept
set schedule always
set service HTTP
set webcache enable
end

config firewall central-snat-map

edit 1
set masquerade enable
set srcintf <port x>
set dstintf <port y>
set orig-addr "all"
set dst-addr "all"
next
end

Verify the WCCP status

After setting up the FortiProxy unit as the WCCP client, you should verify to confirm that it is configured correctly.
diagnose test application wccp 2
root: work mode:cache working NAT first_phy_id=8
interface list:
intf=aggr1, gid=8 phy_id=8
service list:
service: 0, cache_id=192.168.1.2, group=0.0.0.0, auth(no)
forward=1, return=1, assign=1.
router list:
192.168.1.1
port list:
ecache_id=192.168.1.2

diagnose test application wccp 6

service-0 in root
erouter_list: 1 routers in total
0. 192.168.1.1
receive_id:23573 change_number:2
cache servers seen by this router:
0. 192.168.1.2 weight:0 (*Designated Web Cache)

FortiProxy 7.0 Administration Guide 333

Fortinet Inc.
 Web Cache

WCCP packet flow

The following packet flow sequence assumes you have configured a FortiProxy unit to be a WCCP server and one or
more FortiProxy units to be WCCP clients.
1. A user’s web browser sends a request for web content.
2. The FortiProxy unit configured as a WCCP server includes a firewall policy that intercepts the request and forwards
it to a FortiProxy WCCP client.
3. The firewall policy can apply UTM features to traffic accepted by the policy.
4. The FortiProxy WCCP client receives the WCCP session.
5. The client either returns requested content to the WCCP server if it is already cached or connects to the destination
web server, receives and caches the content, and then returns it to the WCCP server.
6. The WCCP server returns the requested content to the user’s web browser.
7. The WCCP router returns the request to the client web browser. The client web browser is not aware that all this is
taking place and does not have to be configured to use a web proxy.

Configure forward and return methods and adding authentication

The WCCP forwarding method determines how intercepted traffic is transmitted from the WCCP router to the WCCP
cache engine. FortiProxy units use GRE forwarding.
GRE forwarding encapsulates the intercepted packet in an IP GRE header with a source IP address of the WCCP router
and a destination IP address of the target WCCP cache engine. The result is a tunnel that allows the WCCP router to be
multiple hops away from the WCCP cache server.
By default, the WCCP communication between the router and cache servers is unencrypted. If you are concerned about
attackers sniffing the information in the WCCP stream, you can use the following command to enable hash-based
authentication of the WCCP traffic. You must enable authentication on the router and the cache engines, and all must
have the same password.
config system wccp
edit 1
set authentication enable
set password <password>
end

Purging specific cached content

You can purge specific cached content with the following CLI command:
execute webcache delete [pattern_type] [pattern_string]

For [pattern_type], there are three choices:

l simple—a simple string following the pattern [domain_string]:[port_string]/[path_string]
l wildcard—a wild-card match following the pattern [domain_wildcard]:[port_wildcard]/[path_wildcard]
l regexp—a Perl regular expression
To delete all cached content from www.domain.com/path:
execute webcache delete simple www.domain.com:80/path

To delete all content from .com www sites

FortiProxy 7.0 Administration Guide 334

Fortinet Inc.
 Web Cache

execute webcache delete wildcard www.*.com:*/*

To verify the status of a purge request

execute webcache delete status

WCCP messages

When the WCCP service is active on a web cache server, it periodically sends a WCCP HERE I AM broadcast or unicast
message to the FortiProxy unit operating as a WCCP router. This message contains the following information:
l Web cache identity (the IP address of the web cache server)
l Service information (the service group to join)
If the information received in this message matches what is expected, the FortiProxy unit replies with a WCCP I SEE
YOU message that contains the following details:
l Router identity (the FortiProxy unit’s IP address)
l Sent to IP (the web cache IP addresses to which the packets are addressed)
When both ends receive these two messages, the connection is established, the service group is formed, and the
designated web cache is elected.

Troubleshooting WCCP

Two types of debug commands are available for debugging or troubleshooting a WCCP connection between a
FortiProxy unit operating as a WCCP router and its FortiProxy WCCP cache engines.

Real-time debugging

The following commands can capture live WCCP messages:

diagnose debug enable
diagnose debug application wccpd <debug level>

Application debugging

The following commands display information about WCCP operations:

get test wccpd <integer>
diagnose test application wccpd <integer>

Where <integer> is a value between 1 and 5:

1. Display WCCP statistics
2. Display WCCP configuration
3. Display WCCP cache servers
4. Display WCCP services
5. Display WCCP assignment
Enter the following command to view the debugging output:
diagnose test application wccpd 3

FortiProxy 7.0 Administration Guide 335

Fortinet Inc.
Web Cache

Sample output from a successful WCCP connection:

service-0 in root: num=1, usable=1
cache server ID:
len=44, addr=172.16.78.8, weight=4135, status=0
rcv_id=6547, usable=1, fm=1, nq=0, dev=3(k3),
to=192.168.11.55
ch_no=0, num_router=1:
192.168.11.55

Sample output from the same command from an unsuccessful WCCP connection (because of a service group password
mismatch):
service-0 in root: num=0, usable=0
diag debug application wccpd -1
Sample output:
wccp_on_recv()-98: root recv: num=160, dev=3(3),
172.16.78.8->192.168.11.55
wccp2_receive_pkt()-1124: len=160, type=10, ver=0200,
length=152
wccp2_receive_pkt()-1150: found component:t=0, len=20
wccp2_receive_pkt()-1150: found component:t=1, len=24
wccp2_receive_pkt()-1150: found component:t=3, len=44
wccp2_receive_pkt()-1150: found component:t=5, len=20
wccp2_receive_pkt()-1150: found component:t=8, len=24
wccp2_check_security_info()-326: MD5 check failed

User Agent

You can specify which computer programs are used to preload URLs. Multiple browsers are supported, such as
Chrome, Safari, Firefox, and Internet Explorer. After you define a user agent, you can select it when you create prefetch
URLs or reverse cache prefetch URLs.
To see the list of user agents, go to Web Cache > User Agent.

Hover over the leftmost edge of the column heading to display the Configure Table icon, which you can use to select the
columns to display or to reset all the columns to their default settings. You can also drag column headings to change
their order.

FortiProxy 7.0 Administration Guide 336

Fortinet Inc.
 Web Cache

The following options are available:

Create New Add a new user agent. See Create or edit a user agent on page 337.

Edit Edit the selected user agent. See Create or edit a user agent on page 337.

Delete Delete the selected user agent.

Name The name of the user agent.

User Agent The name of the computer program to use to preload the URLs.

Ref. Displays the number of times the object is referenced to other objects.
To view the location of the referenced object, select the number in Ref.; the Object
Usage window opens and displays the various locations of the referenced object.

Create or edit a user agent

To create a user agent:

1. Go to Web Cache > User Agent and select Create New from the toolbar. The Create User Agent window opens.

2. Configure the following settings:

Name Enter a name for the user agent.

User Agent Enter the name of the browser.

3. Click OK to create the new user agent.

To edit a user agent:

1. Go to Web Cache > User Agent.

2. Select the user agent you want to edit and then click Edit from the toolbar or double-click on the server in the table.
The Edit User Agent window opens.
3. Edit the information as required and then click OK to apply your changes.

FortiProxy 7.0 Administration Guide 337

Fortinet Inc.
 Web Cache

Reverse Cache Server

If you want to use reverse proxy web-caching, you need to configure a reverse cache server. For more information about
reverse proxy web caching, see Web-caching topologies on page 26.
To see the list of reverse cache servers, go to Web Cache > Reverse Cache Server.

Hover over the leftmost edge of the column heading to display the Configure Table icon, which you can use to select the
columns to display or to reset all the columns to their default settings. You can also drag column headings to change
their order.
The following options are available:

Create New Add a new reverse cache server. See Create or edit a reverse cache server on
page 338.

Edit Edit the selected reverse cache server. See Create or edit a reverse cache server
on page 338.

Delete Delete the selected reverse cache server.

Name The name of the reverse cache server.

IP The IP address of the reverse cache server.

Port The port number that the reverse cache server is using.

Status The status is Enabled or Disabled.

Ref. Displays the number of times the object is referenced to other objects.
To view the location of the referenced object, select the number in Ref.; the Object
Usage window opens and displays the various locations of the referenced object.

Create or edit a reverse cache server

To create a reverse cache server:

1. Go to Web Cache > Reverse Cache Server and select Create New from the toolbar. The Create Reverse Cache
Server window opens.

FortiProxy 7.0 Administration Guide 338

Fortinet Inc.
Web Cache

2. Configure the following settings:

Name Enter a name for the reverse cache server.

IP Enter the IP address of the reverse cache server.

Port Enter the port number that the reverse cache server will use.

Status Enable or disable the reverse cache server.

Priority Enter a number to indicate the priority of the reverse cache server.

Prefetch File If you created a prefetch file of URLs that you want preloaded, select + to open
the Select Entries window and then select the prefetch file.
To create a prefetch file, see Prefetch URLs on page 339.

3. Click OK to create the reverse cache server.

To edit a reverse cache server:

1. Go to Web Cache > Reverse Cache Server.

2. Select the server you want to edit and then click Edit from the toolbar or double-click on the server in the table. The
Edit Reverse Cache Server window opens.
3. Edit the information as required and then click OK to apply your changes.

Prefetch URLs

To improve the speed of your system, you can specify URLs to preload.
To see the list of prefetch files of URLs to preload, go to Web Cache > Prefetch URLs.

FortiProxy 7.0 Administration Guide 339

Fortinet Inc.
Web Cache

Hover over the leftmost edge of the column heading to display the Configure Table icon, which you can use to select the
columns to display or to reset all the columns to their default settings. You can also drag column headings to change
their order.
The following options are available:

Create New Prefetch URL Add a new prefetch file. See To create a prefetch file: on page 340.

Edit Edit the selected prefetch file. See To edit a prefetch file: on page 341.

Delete Delete the selected prefetch file. See To delete a prefetch file or files: on page
341.

Download Prefetch Log Select to download the prefetch log.

URL The URLs to preload.

Depth How many levels deep to preload.

Repeat Interval (Minutes) How often, in minutes, to preload the URLs.

Next Run When the URLs will be preloaded next.

To create a prefetch file:

1. Go to Web Cache > Prefetch URLs and select Create New Prefetch URL from the toolbar. The Create New Prefetch
URL window opens.

FortiProxy 7.0 Administration Guide 340

Fortinet Inc.
 Web Cache

2. Configure the following settings:

URL Enter the URLs to preload. Separate multiple URLS with a semicolon.

Crawl Depth Enter how many levels deep to preload the URLs.

Ignore robots.txt rules Enable to ignore the rules found in the robots.txt file.

Run After Select when the URL is preloaded the first time.

Repeat Interval Enter how often to preload the URLs and how many times to preload the
URLs.

User Agent The name of the computer program to use to preload the URLs.

User The user name for the user agent.

Password The password for the user agent.

3. Click OK to create the new prefetch file.

To edit a prefetch file:

1. Go to Web Cache > Prefetch URLs.

2. Select the file that you want to edit and then click Edit from the toolbar or double-click on the file in the table. The Edit
Reverse Cache Prefetch window opens.
3. Edit the information as required, then click OK to apply your changes.

To delete a prefetch file or files:

1. Go to Web Cache > Prefetch URLs.

2. Select the file or files that you want to delete.
3. Click Delete from the toolbar.
4. Click OK in the confirmation dialog box to delete the selected file or files.

Prefetch File

Use the prefetch file to specify which URLs to preload.

To see the list of prefetch files, go to Web Cache > Prefetch File.

Hover over the leftmost edge of the column heading to display the Configure Table icon, which you can use to select the
columns to display or to reset all the columns to their default settings. You can also drag column headings to change
their order.

FortiProxy 7.0 Administration Guide 341

Fortinet Inc.
 Web Cache

The following options are available:

Create New Add a new prefetch file. See Create or edit a prefetch file on page 342.

Edit Edit the selected prefetch file. See Create or edit a prefetch file on page 342.

Delete Delete the selected reverse cache prefetch file.

Name The name of the reverse cache prefetch file.

URL The URLs to preload.

Crawl Depth How many levels deep to preload.

Interval How often, in seconds, to preload the URLs.

Repeats How many times to preload the URLs. The value range is 0-4,200,000,000.

Ref. Displays the number of times the object is referenced to other objects.
To view the location of the referenced object, select the number in Ref.; the Object
Usage window opens and displays the various locations of the referenced object.

Create or edit a prefetch file

To create a prefetch file:

1. Go to Web Cache > Prefetch File and select Create New from the toolbar.
The Create Reverse Cache Prefetch window opens.

FortiProxy 7.0 Administration Guide 342

Fortinet Inc.
Web Cache

2. Configure the following settings:

Name Enter a name for the reverse cache prefetch file.

URL Enter the URLs to preload. Separate multiple URLS with a semicolon.

Crawl Depth Enter how many levels deep to preload the URLs.

Ignore robots.txt rules Enable to ignore the rules found in the robots.txt file.

Interval Enter how often, in seconds, to preload the URLs.

Repeats Enter how many times to preload the URLs. The value range is 0-
4,200,000,000.

User Agent The name of the computer program to use to preload the URLs. To create a
user agent, see Create or edit a user agent on page 337.

3. Click OK to create the new reverse cache prefetch file.

To edit a prefetch file:

1. Go to Web Cache > Prefetch File.

2. Select the file that you want to edit and then click Edit from the toolbar or double-click on the file in the table.
The Edit Reverse Cache Prefetch window opens.
3. Edit the information as required, then click OK to apply your changes.

FortiProxy 7.0 Administration Guide 343

Fortinet Inc.
VPN

The VPN menu allows you to configure IPsec VPN and SSL-VPN.
The following topics are included in this section:
l IPsec Tunnels on page 345
l IPsec Wizard on page 350
l IPsec Tunnel Template on page 356
l SSL-VPN Portals on page 357
l SSL-VPN Settings on page 362
l SSL-VPN Personal Bookmarks on page 366
l SSL-VPN Realms on page 367

IPsec VPN

Virtual Private Network (VPN) technology enables remote users to connect to private computer networks to gain access
to their resources in a secure way. For example, an employee traveling or working from home can use a VPN to securely
access the office network through the Internet.
Instead of remotely logging on to a private network using an unencrypted and insecure Internet connection, the use of a
VPN ensures that unauthorized parties cannot access the office network and cannot intercept any of the information that
is exchanged between the employee and the office. It is also common to use a VPN to connect the private networks of
two or more offices.
Fortinet offers VPN capabilities in the FortiProxy Unified Threat Management (UTM) appliance and in the FortiClient
Endpoint Security suite of applications. A FortiProxy unit can be installed on a private network, and FortiClient software
can be installed on the user’s computer. It is also possible to use a FortiProxy unit to connect to the private network
instead of using FortiClient software.

SSL-VPN

As organizations have grown and become more complex, secure remote access to network resources has become
critical for day-to-day operations. In addition, businesses are expected to provide clients with efficient, convenient
services including knowledge bases and customer portals. Employees traveling across the country or around the world
require timely and comprehensive access to network resources. As a result of the growing need for providing
remote/mobile clients with easy, cost-effective and secure access to a multitude of resources, the concept of a Virtual
Private Network (VPN) was developed.
SSL VPNs establish connectivity using SSL, which functions at Levels 4-5 (Transport and Session layers). Information is
encapsulated at Levels 6-7 (Presentation and Application layers), and SSL VPNs communicate at the highest levels in
the OSI model. SSL is not strictly a Virtual Private Network (VPN) technology that allows clients to connect to remote
networks in a secure way. A VPN is a secure logical network created from physically separate networks. VPNs use

FortiProxy 7.0 Administration Guide 344

Fortinet Inc.
VPN

encryption and other security methods to ensure that only authorized users can access the network. VPNs also ensure
that the data transmitted between computers cannot be intercepted by unauthorized users. When data is encoded and
transmitted over the Internet, the data is said to be sent through a “VPN tunnel.” A VPN tunnel is a non-application
oriented tunnel that allows the users and networks to exchange a wide range of traffic regardless of application or
protocol.
The advantages of a VPN over an actual physical private network are two-fold. Rather than utilizing expensive leased
lines or other infrastructure, you use the relatively inexpensive, high-bandwidth Internet. Perhaps more important though
is the universal availability of the Internet. In most areas, access to the Internet is readily obtainable without any special
arrangements or long wait times.
SSL (Secure Sockets Layer) as HTTPS is supported by most web browsers for exchanging sensitive information
securely between a web server and a client. SSL establishes an encrypted link, ensuring that all data passed between
the web server and the browser remains private and secure. SSL protection is initiated automatically when a user (client)
connects to a web server that is SSL-enabled. Once the successful connection is established, the browser encrypts all
the information before it leaves the computer. When the information reaches its destination, it is decrypted using a secret
(private) key. Any data sent back is first encrypted, and is decrypted when it reaches the client.
FortiProxy supports the SSL and TLS versions defined in the following table.
SSL and TLS version support table

Version RFC

SSL 2.0 RFC 6176

SSL 3.0 RFC 6101

TLS 1.0 RFC 2246

TLS 1.1 RFC 4346

TLS 1.2 RFC 5246

IPsec Tunnels

The data path between a userʼs computer and a private network through a VPN is referred to as a tunnel. Like a physical
tunnel, the data path is accessible only at both ends. In the telecommuting scenario, the tunnel runs between the
FortiClient application on the userʼs PC, or a FortiProxy unit or other network device and the FortiProxy unit on the office
private network.
Encapsulation makes this possible. IPsec packets pass from one end of the tunnel to the other and contain data packets
that are exchanged between the local user and the remote private network. Encryption of the data packets ensures that
any third-party who intercepts the IPsec packets can not access the data.
You can create a VPN tunnel between:
l A PC equipped with the FortiClient application and a FortiProxy unit
l Two FortiProxy units
l Third-party VPN software and a FortiProxy unit
To view a list of IPsec tunnels, go to VPN > IPsec Tunnels. After you create an IPsec VPN tunnel, it appears in the VPN
tunnel list.

FortiProxy 7.0 Administration Guide 345

Fortinet Inc.
 VPN

Hover over the leftmost edge of the column heading to display the Configure Table icon, which you can use to select the
columns to display or to reset all the columns to their default settings. You can also drag column headings to change
their order.
The following options are available:

Create New > IPsec Tunnel Run the IPsec Wizard and create an IPsec tunnel. See IPsec Wizard on page
350.

Edit Edit an IPsec tunnel. See Edit an IPsec tunnel on page 346.

Delete Delete the selected IPsec tunnel.

Search Enter a search term to find in the list.

Tunnel The name of the IPsec tunnel.

Interface Binding Select the name of the interface through which remote peers connect to the
FortiProxy unit.

Status The status is Active or Inactive.

Ref. Displays the number of times the object is referenced to other objects.
To view the location of the referenced object, select the number in Ref.; the Object
Usage window opens and displays the various locations of the referenced object.

Aggregate Weight The aggregate weight.

Comments An optional description of the IPsec tunnel.

IKE Version The default IKE version is 1.

Mode The mode is Aggressive or Main (ID Protection):

l Main (ID Protection)—The Phase 1 parameters are exchanged in multiple

rounds with encrypted authentication information.

l Aggressive—The Phase 1 parameters are exchanged in single message
with authentication information that is not encrypted.

Phase 2 Selectors The name of phase 2.

Edit an IPsec tunnel

Select an IPsec tunnel and then click Edit to open the Edit VPN Tunnel page.

FortiProxy 7.0 Administration Guide 346

Fortinet Inc.
VPN

Configure the following settings in the Edit VPN Tunnel page. After each editing a section, select the checkmark icon to
save your changes. After you make all of your changes, click OK.

Name The name of the IPsec tunnel cannot be changed.

Comments An optional description of the IPsec tunnel.

FortiProxy 7.0 Administration Guide 347

Fortinet Inc.
VPN

Network Select Edit to make changes.

IP Version This option is set to IPv4.

Remote Gateway This option is set to Static IP Address for a remote peer that has a static IP
address.

IP Address Enter the IP address of the remote peer.

Interface Select the name of the interface through which remote peers connect to the
FortiProxy unit.

Local Gateway Enable this option to configure a local gateway and then select Primary IP,
Secondary IP, or Specify. Enter or select the IP address.

NAT Traversal Select Enable if a NAT device exists between the local FortiProxy unit. and the
VPN peer or client. The local FortiProxy unit and the VPN peer or client must have
the same NAT traversal setting (both selected or both cleared) to connect reliably.
Additionally, you can force IPsec to use NAT traversal.
If this option is set to Forced, the FortiProxy unit uses a port value of zero when
constructing the NAT discovery hash for the peer. This causes the peer to think it
is behind a NAT device, and it will use UDP encapsulation for IPsec, even if no
NAT is present. This approach maintains interoperability with any IPsec
implementation that supports the NAT-T RFC.

Keepalive Frequency If you selected Enable or Forced for the NAT traversal, enter a keep-alive
frequency.

Forward Error Correction Select Egress or Ingress.

Add route Select Enabled if you want to add a route.

Auto discovery sender Select Enabled to automatically discover the sender.

Auto discover receiver Select Enabled to automatically discover the receiver.

Authentication Select Edit to make changes.

Method Select Pre-shared Key or Signature:

l Pre-shared Key—A preshared key contains at least six random

alphanumeric characters. Users of the VPN must obtain the preshared key
from the person who manages the VPN server and add the preshared key to
their VPN client configuration.
l Signature—Use one or more certificates for authentication.

Pre-shared Key If you selected Pre-shared Key for the authentication method, enter the pre-
shared key that the FortiProxy unit will use to authenticate itself to the remote peer
or dial-up client during Phase 1 negotiations. You must define the same key at the
remote peer or client.
The key must contain at least 6 printable characters. For optimum protection
against currently known attacks, the key must consist of a minimum of 16
randomly chosen alphanumeric characters. The limit is 128 characters.

FortiProxy 7.0 Administration Guide 348

Fortinet Inc.
VPN

Certificate Name If you selected Signature for the authentication method, select + and then select
one or more certificates that the FortiProxy unit will use to authenticate itself.

Version IKE version 1 is selected by default.

Mode Select Aggressive or Main (ID protection):

l Main (ID protection)—The Phase 1 parameters are exchanged in multiple

rounds with encrypted authentication information.

l Aggressive—The Phase 1 parameters are exchanged in single message
with authentication information that is not encrypted.

Phase 1 Proposal Select Edit to make changes.

Select Add to get another row of Encryption and Authentication options.

Encryption Select DES, 3DES, AES128, AES192, AES256 to use as the encryption
algorithm.

Authentication Select MD5, SHA1, SHA256, SHA384, or SHA512 to use for authentication.

Diffie-Hellman Groups Select one or more Diffie-Hellman (DH) asymmetric key algorithms for public key
cryptography.

Key Lifetime (seconds) Enter the time (in seconds) that must pass before the IKE encryption key expires.
When the key expires, a new key is generated without interrupting service. The
key lifetime can be from 120 to 172,800 seconds.

Local ID A Local ID is an alphanumeric value.

XAUTH Select Edit to make changes.

Type Select Client to require an additional user name and password for authentication.

Username If you selected Client, enter a user name for authentication.

Password If you selected Client, enter a password for authentication.

Phase 2 Selectors Select Add to enter new phase-2 information.

Name Enter the Phase-2 name.

Comments An optional description of the VPN tunnel.

Local Address Select Subnet, IP Range, IP Address, Named Address,IPv6 Subnet, IPv6 Range,
IPv6 Address, or Named IPv6 Address and then enter the specified information.

Remote Address Select Subnet, IP Range, IP Address, Named Address,IPv6 Subnet, IPv6 Range,
IPv6 Address, or Named IPv6 Address and then enter the specified information.

Phase 2 Proposal Select Add to get another row of Encryption and Authentication options.

Encryption Select DES, 3DES, AES128, AES128GCM, AES192, AES256 or

CHACHA20POLY1305 to use as the encryption algorithm.

Authentication Select MD5, SHA1, SHA256, SHA384, or SHA512 to use for authentication.

Enable Replay Detection Replay attacks occur when an unauthorized party intercepts a series of IPsec
packets and replays them back into the tunnel.

FortiProxy 7.0 Administration Guide 349

Fortinet Inc.
VPN

Enable Perfect Forward Enable for PFS.

Secrecy (PFS)

Local Port Select All or enter the local port number.

Remote Port Select All or enter the remote port number.

Protocol Select All or enter the protocol number.

Auto-negotiate Enable the option if you want the tunnel to be automatically renegotiated when the
tunnel expires.

Autokey Keep Alive Select the check box if you want the tunnel to remain active when no data is being
processed.

Key Lifetime Select the method for determining when the Phase 2 key expires: Seconds,
Kilobytes, or Both. If you select Both, the key expires when either the time has
passed or the number of kilobytes have been processed.

Seconds If you selected Seconds or Both for the key lifetime, enter the number of seconds.

Kilobytes If you selected Kilobytes or Both for the key lifetime, enter the number of kilobytes.

IPsec Wizard

To set up an IPsec VPN:

1. Go to VPN > IPsec Wizard.

2. Configure the VPN setup and then select Next:

Name Enter a unique descriptive name (15 characters or less) for the VPN tunnel.

Template Type Select Site to Site or Custom:

l Site to Site—Static tunnel between this FortiProxy unit and a remote

FortiProxy unit through the Internet.

l Custom—No template. See Create a custom VPN tunnel on page 352.

NAT Configuration If you selected Site to Site, select No NAT between sites, This site is behind
NAT, or The remote site is behind NAT.

Remote Device type If you selected Site to Site, select FortiProxy or Cisco.

3. Configure the authentication and then select Next:

Remote Device If you selected Site to Site for the template type, select IP Address or Dynamic
DNS.

Remote IP Address If you selected IP Address for the remote address, enter the IP address of the
remote peer.

FQDN If you selected Dynamic DNS for the remote address, enter the domain name
of the remote peer.

FortiProxy 7.0 Administration Guide 350

Fortinet Inc.
VPN

Outgoing Interface If you selected Site to Site for the template type, select the outgoing interface
from the drop-down list.

Incoming Interface If you selected Remote Access for the template type, select the incoming
interface from the drop-down list.

Authentication Method Select Pre-shared Key or Signature:

l Pre-shared Key—A preshared key contains at least six random

alphanumeric characters. Users of the VPN must obtain the preshared

key from the person who manages the VPN server and add the preshared
key to their VPN client configuration.
l Signature—Use one or more certificates for authentication.

Pre-shared Key If you selected Pre-shared Key for the authentication method, enter the pre-
shared key that the FortiProxy unit will use to authenticate itself to the remote
peer or dial-up client during Phase 1 negotiations. You must define the same
key at the remote peer or client.
The key must contain at least 6 printable characters. For optimum protection
against currently known attacks, the key must consist of a minimum of 16
randomly chosen alphanumeric characters. The limit is 128 characters.

Certificate Name If you selected Signature for the authentication method, select + and then
select one or more certificates that the FortiProxy unit will use to authenticate
itself.

Peer Certificate CA If you selected Signature for the authentication method, select a peer
certificate authority.

4. Configure the policy and routing settings:

Local Interface Select the name of the interface through which remote peers or dial-up clients
connect to the FortiProxy unit.

Local Subnets If you selected Site to Site for the template type, enter a local subnet. Select +
to enter another local subnet.

Remote Subnets Enter a remote subnet. Select + to enter another remote subnet.

Internet Access Select None, Share Local, or Use Remote.

l None—Site-to-site devices communicate over the VPN, but Internet

access does not require VPN.

l Share Local—Allow the remote site to use this FortiProxy as an Internet
gateway.
l Use Remote—This FortiProxy unit will use a tunnel for Internet access
from the remote location.

Shared WAN If you selected Share Local for Internet access, select the WAN interface.

Local Gateway If you selected Use Remote for Internet access, enter the local gateway
address.

5. Select Create.
6. Select Add Another to start at the beginning of the IPsec Wizard or select Show Tunnel List to see the available
IPsec tunnels.

FortiProxy 7.0 Administration Guide 351

Fortinet Inc.
 VPN

Create a custom VPN tunnel

If you select Custom for the template type in the IPsec Wizard and then select Next, the New VPN Tunnel window opens.

FortiProxy 7.0 Administration Guide 352

Fortinet Inc.
VPN

FortiProxy 7.0 Administration Guide 353

Fortinet Inc.
VPN

Configure the following settings and then click OK:

Name Type a name for the Phase 1 definition.

Comments An optional description of the VPN tunnel.

Enable IPsec Interface Mode Select this option if you want to create an IPsec VPN tunnel.

IP Version This option is set to IPv4.

Remote Gateway This option is set to Static IP Address for a remote peer that has a static IP
address.

IP Address Enter the IP address of the remote peer.

Interface Select the name of the interface through which remote peers connect to the
FortiProxy unit.

Local Gateway Enable this option to configure a local gateway and then select Primary IP,
Secondary IP, or Specify. Enter or select the IP address.

NAT Traversal Select Enable if a NAT device exists between the local FortiProxy unit. and the
VPN peer or client. The local FortiProxy unit and the VPN peer or client must have
the same NAT traversal setting (both selected or both cleared) to connect reliably.
Additionally, you can force IPsec to use NAT traversal.
If this option is set to Forced, the FortiProxy unit uses a port value of zero when
constructing the NAT discovery hash for the peer. This causes the peer to think it
is behind a NAT device, and it will use UDP encapsulation for IPsec, even if no
NAT is present. This approach maintains interoperability with any IPsec
implementation that supports the NAT-T RFC.

Keepalive Frequency If you selected Enable or Forced for the NAT traversal, enter a keep-alive
frequency.

Dead Peer Detection Select On Idle to reestablish VPN tunnels on idle connections and clean up dead
IKE peers if required. You can use this option to receive notification whenever a
tunnel goes up or down, or to keep the tunnel connection open when no traffic is
being generated inside the tunnel.
With On Idle or On Demand selected, you can use the config vpn ipsec
phase1 (tunnel mode) or config vpn ipsec phase1-interface (interface
mode) CLI command to optionally specify a retry count and a retry interval.

Method Select Pre-shared Key or Signature:

l Pre-shared Key—A preshared key contains at least six random

alphanumeric characters. Users of the VPN must obtain the preshared key
from the person who manages the VPN server and add the preshared key to
their VPN client configuration.
l Signature—Use one or more certificates for authentication.

Pre-shared Key If you selected Pre-shared Key for the authentication method, enter the pre-
shared key that the FortiProxy unit will use to authenticate itself to the remote peer
or dial-up client during Phase 1 negotiations. You must define the same key at the
remote peer or client.

FortiProxy 7.0 Administration Guide 354

Fortinet Inc.
VPN

The key must contain at least 6 printable characters. For optimum protection
against currently known attacks, the key must consist of a minimum of 16
randomly chosen alphanumeric characters. The limit is 128 characters.

Certificate Name If you selected Signature for the authentication method, select + and then select
one or more certificates that the FortiProxy unit will use to authenticate itself.

Version IKE version 1 is selected by default.

Mode Select Aggressive or Main (ID protection):

l Main (ID protection)—The Phase 1 parameters are exchanged in multiple

rounds with encrypted authentication information.

l Aggressive—The Phase 1 parameters are exchanged in single message
with authentication information that is not encrypted.

Accept Types If you selected Pre-shared Key for the authentication method and selected
aggressive mode, select Any peer ID or Specific peer ID. If you select Specific
peer ID, enter the peer ID.
If you selected Signature for the authentication method, select Any peer ID,
Specific peer ID, or Peer certificate.

Peer ID If you selected Any peer ID, enter the peer ID.

Peer certificate If you selected Peer certificate for the authentication method, select the
certificate.

Phase 1 Proposal Select Add to get another row of Encryption and Authentication options.

Encryption Select DES, 3DES, AES128, AES192, and AES256 to use as the encryption
algorithm. AES256 is the most secure; DES is the least secure.

Authentication Select MD5, SHA1, SHA256, SHA384, SHA512, or SHA256 to use for
authentication.

Diffie-Hellman Groups Select one or more Diffie-Hellman (DH) asymmetric key algorithms for public key
cryptography.

Key Lifetime (seconds) Enter the time (in seconds) that must pass before the IKE encryption key expires.
When the key expires, a new key is generated without interrupting service. The
key lifetime can be from 120 to 172,800 seconds.

Local ID A Local ID is an alphanumeric value.

Type Select Client to require an additional user name and password for authentication.

User Name If you selected Client, enter a user name for authentication.

Password If you selected Client, enter a password for authentication.

Name By default, the Phase-2 name is the same as the Phase-1 name.

Comments An optional description of the VPN tunnel.

Local Address Select Subnet, IP Range, IP Address, Named Address,IPv6 Subnet, IPv6 Range,
IPv6 Address, or Named IPv6 Address and then enter the specified information.

FortiProxy 7.0 Administration Guide 355

Fortinet Inc.
VPN

Remote Address Select Subnet, IP Range, IP Address, Named Address,IPv6 Subnet, IPv6 Range,
IPv6 Address, or Named IPv6 Address and then enter the specified information.

Phase 2 Proposal Select Add to get another row of Encryption and Authentication options.

Encryption Select NULL, DES, 3DES, AES128, AES128GCM, AES192, AES256, or

AES256GCM to use as the encryption algorithm. NULL is the least secure;
AES256GCM is the most secure.

Authentication Select NULL, MD5, SHA1, SHA256, SHA384, or SHA512 to use for
authentication.

Enable Replay Detection Replay attacks occur when an unauthorized party intercepts a series of IPsec
packets and replays them back into the tunnel.

Enable Perfect Forward Perfect forward secrecy (PFS) improves security by forcing a new Diffie-Hellman
Secrecy (PFS) exchange whenever keylife expires.

Local Port Select All or enter the local port number.

Remote Port Select All or enter the remote port number.

Protocol Select All or enter the protocol number.

Auto-negotiate Enable the option if you want the tunnel to be automatically renegotiated when the
tunnel expires.

Autokey Keep Alive Select the check box if you want the tunnel to remain active when no data is being
processed.

Key Lifetime Select the method for determining when the Phase 2 key expires: Seconds,
Kilobytes, or Both. If you select Both, the key expires when either the time has
passed or the number of kilobytes have been processed.

Seconds If you selected Seconds or Both for the key lifetime, enter the number of seconds.

Kilobytes If you selected Kilobytes or Both for the key lifetime, enter the number of kilobytes.

IPsec Tunnel Template

Several tunnel templates are available in the IPsec VPN Wizard that cover a variety of different types of IPsec VPN. Go
to VPN > IPsec Tunnel Template to see a list and descriptions of these templates:
l Site to Site - FortiProxy
l Site to Site - Cisco
Select a template and then select View to see the template details.

FortiProxy 7.0 Administration Guide 356

Fortinet Inc.
 VPN

SSL-VPN Portals

The SSL-VPN portal enables remote users to access internal network resources through a secure channel using a web
browser. FortiProxy administrators can configure login privileges for system users as well as the network resources that
are available to the users.
This step in the configuration of the SSL-VPN tunnel sets up the infrastructure; the addressing, encryption, and
certificates needed to make the initial connection to the FortiProxy unit. This step is also where you configure what the
remote user sees with a successful connection. The portal view defines the resources available to the remote users and
the functionality they have on the network.
Go to VPN > SSL-VPN Portals to see a list of available SSL-VPN portals.

Hover over the leftmost edge of the column heading to display the Configure Table icon, which you can use to select the
columns to display or to reset all the columns to their default settings. You can also drag column headings to change
their order.
The following options are available:

Create New Create an SSL-VPN portal. See Create or edit an SSL-VPN portal on page 357.

Edit Edit an SSL-VPN portal. See Create or edit an SSL-VPN portal on page 357.

Delete Delete an SSL-VPN portal.

Search Enter a search term to find in the list.

Name The name for the portal.

Tunnel Mode Whether this portal is using tunnel mode.

Web Mode Whether this portal is using web-only mode.

IPv6 Tunnel Mode Whether this portal is using IPv6 tunnel mode.

Ref. Displays the number of times the object is referenced to other objects.
To view the location of the referenced object, select the number in Ref.; the Object
Usage window opens and displays the various locations of the referenced object.

Create or edit an SSL-VPN portal

Select Create New to open the New SSL-VPN Portal page.

FortiProxy 7.0 Administration Guide 357

Fortinet Inc.
VPN

Select an SSL-VPN portal from the list and then click Edit to open the Edit SSL-VPN Portal page.
Configure the following settings in the New SSL-VPN Portal page or Edit SSL-VPN Portal page and then click OK:

Name The name for the portal. After you create the SSL-VPN portal, the name cannot be
changed.

FortiProxy 7.0 Administration Guide 358

Fortinet Inc.
VPN

Limit Users to One SSL-VPN You can set the SSL VPN tunnel such that each user can only log into the tunnel
Connection at a Time one time concurrently per user per login. That is, after logging into the portal, they
cannot go to another system and log in with the same credentials again. This
option is disabled by default.

Tunnel Mode Enable to determine how tunnel-mode clients are assigned IPv4 addresses.

Enable Split Tunneling If you want to use split tunneling, select Enabled Based on Policy Destination or
Enabled for Trusted Destinations.

Routing Address Override If you enable split tunneling, you are required to set the routing address, which is
the address that your corporate network is using. Traffic intended for the routing
address is not split from the tunnel.

Source IP Pools Select an IP pool for users to acquire an IP address when connecting to the portal.
There is always a default pool available if you do not create your own.

IPv6 Tunnel Mode Move the slider to determine how tunnel-mode clients are assigned IPv6
addresses.

Enable IPv6 Split Tunneling Select Disabled, Enabled Based on Policy Destination, or Enabled for Trusted
Destinations.

IPv6 Routing Address If you enable split tunneling, you are required to set the IPv6 routing address,
Override which is the address that your corporate network is using. Traffic intended for the
routing address is not split from the tunnel.

Source IPv6 Pools Select an IPv6 pool for users to acquire an IP address when connecting to the
portal. There is always a default pool available if you do not create your own.

Allow client to save password When enabled, if the user selects this option, their password is stored on the
user’s computer and will automatically populate each time they connect to the
VPN.

Allow client to connect When enabled, if the user selects this option, when the FortiClient application is
automatically launched, for example after a reboot or system startup, FortiClient will
automatically attempt to connect to the VPN tunnel.

Allow client to keep When enabled, if the user selects this option, the FortiClient should try to
connections alive reconnect once it detects the VPN connection is down unexpectedly (not
manually disconnected by user).

DNS Split Tunneling Enable and then create or edit the DNS entry. See Create or edit a DNS entry on
page 361.

Host Check Enable and then select Realtime AntiVirus, Firewall, or Enable both.

Restrict to Specific OS Enable or disable.

Versions

Enable Web Mode Enable for web-mode access.

Portal Message This is a text header that appears on the top of the web portal.

Theme Select a color styling specifically for the web portal.

FortiProxy 7.0 Administration Guide 359

Fortinet Inc.
VPN

Show Session Information The Show Session Information widget displays the login name of the user, the
amount of time the user has been logged in and the inbound and outbound traffic
statistics.

Show Connection Launcher Displays the Connection Launcher widget in the web portal.

Show Login History Select to include user login history on the web portal.

User Bookmarks Enable to allow users to add their own bookmarks in the web portal.

Rewrite Content IP/UI/ Enable or disable whether the content can be rewritten.

FDP/VNC clipboard Enable or disable the FDP/VNC clipboard.

Create New Create a bookmark. See Create or edit a bookmark on page 361.

Edit Edit a selected bookmark. See Create or edit a bookmark on page 361.

Delete Delete a selected bookmark.

Search Enter a search term to find in the list.

Enable FortiClient Download Enable to allow users to customize the download URL for FortiClient.

Download Method If you enable FortiClient download, select whether FortiClient will directly
download or use SSL-VPN proxy.

Customize Download Location Enable to change the download location.

Windows Enable to specify the Windows download location.

Mac Enable to specify the Mac download location.

Disable the clipboard in SSL-VPN web-mode RDP connections

In web portal profiles, the clipboard can be disabled for SSL VPN web-mode RDP/VNC connections. Users will not be
able to copy and paste content to or from the internal server.

To disable the RDP/VNC clipboard in the GUI:

1. Go to VPN > SSL-VPN Portals.

2. Select a portal and click Edit.
3. Disable RDP/VNC clipboard.
4. Click OK.

To disable the RDP/VNC clipboard in the CLI:

config vpn ssl web portal

edit <portal_name>
set clipboard disable
next
end

FortiProxy 7.0 Administration Guide 360

Fortinet Inc.
 VPN

Create or edit a bookmark

A web bookmark can include login credentials to automatically log the SSL-VPN user into the website. When the
administrator configures bookmarks, the website credentials must be the same as the userʼs SSL-VPN credentials.
Users configuring their own bookmarks can specify alternative credentials for the website.
Select Create New to open the New Bookmark page.

Select a bookmark from the list and then click Edit to open the Edit Bookmark page.
Configure the following settings in the New Bookmark page or Edit Bookmark page and then click OK:

Name Enter a name for the bookmark.

Type Select the type of link from the drop-down list: HTTP/HTTPS, FTP, RDP, SFTP,
SMB/CIFS, SSH, TELNET, or VNC.

URL Enter the URL for the bookmark.

Description Enter a brief description of the link.

Single Sign-On If you want to use single sign-on, select SSL-VPN Login or Alternative.

SSO Form Data If you selected SSL-VPN Login for SSO, select whether you want to use SSO
form data.

Form Key If you enabled SSO Form Data, enter the SSO form key.

Form Value If you enabled SSO Form Data, enter one or more form values.

Username If you selected Alternative for SSO, enter a user name for signing in.

Password If you selected Alternative for SSO, enter a password for signing in.

Create or edit a DNS entry

You can create or edit a DNS entry for the SSL-VPN portal.

FortiProxy 7.0 Administration Guide 361

Fortinet Inc.
VPN

To create a DNS entry:

1. Go to VPN > SSL-VPN Portals and, under Tunnel Mode Client Options, enable DNS Split Tunneling.
2. In the Split DNS table, select Create New. The New DNS Entry window opens.

3. Enter one or more domains for the DNS entry.

4. Enter the IPv4 address of the primary DNS server.
5. Enter the IPv4 address of the secondary DNS server.
6. Enter the IPv6 address of the primary DNS server.
7. Enter the IPv6 address of the secondary DNS server.
8. Click OK to save your DNS entry. The new DNS entry is added to the table.
9. Click OK to save your changes to the SSL-VPN portal.

To edit a DNS entry:

1. Go to VPN > SSL-VPN Portals and, under Tunnel Mode Client Options, enable DNS Split Tunneling.
2. Select a DNS entry and then click Edit.
3. In the Edit DNS Entry page, make your changes.
4. Click OK to save your changes to the DNS entry.
5. Click OK to save your changes to the SSL-VPN portal.

SSL-VPN Settings

To configure the basic SSL-VPN settings for encryption and login options, go to VPN > SSL-VPN Settings.

FortiProxy 7.0 Administration Guide 362

Fortinet Inc.
VPN

FortiProxy 7.0 Administration Guide 363

Fortinet Inc.
VPN

Configure the following settings and then select Apply:

Enable SSL-VPN Enable to use SSL-VPN.

Listen on Interface(s) Select + to choose one or more interfaces that the FortiProxy unit will use to listen
for SSL-VPN tunnel requests. This is generally your external interface.

Listen on Port Enter the port number for HTTPS access.

Redirect HTTP to SSL-VPN Move the slider to redirect the admin HTTP port to the admin HTTPS port.

Restrict Access Restrict accessibility to either Allow access from any host or to Limit access to
specific hosts.

Hosts If you selected Limit access to specific hosts, enter the hosts.

Idle Logout Enable if you want the user to log in again after the connection is inactive for the
specified number of seconds.

Inactive For Type the period of time (in seconds) that the connection can remain inactive
before the user must log in again. The range is from 10 to 28800 seconds. Setting
the value to 0 will disable the idle connection timeout. This setting applies to the
SSL-VPN session. The interface does not time out when web application
sessions or tunnels are up.

Server Certificate Select the signed server certificate to use for authentication. If you leave the
default setting (Fortinet_Factory), the FortiProxy unit offers its built-in certificate
from Fortinet to remote clients when they connect. A warning appears that
recommends you generate a trusted certificate and import it for use.

Require Client Certificate Select to use group certificates for authenticating remote clients. When the
remote client initiates a connection, the FortiProxy unit prompts the client

Address Range Select Automatically assign addresses or Specify custom IP ranges.

IP Ranges If you selected Specify custom IP ranges, select the range or subnet firewall
addresses that represent IP address ranges reserved for tunnel-mode SSL VPN
clients.

DNS Server Select Same as client system DNS or Specify.

DNS Server #1 If you select Specify, you can enter up to two DNS servers (IPv4 or IPv6) to be
provided for the use of clients.

DNS Server #2 If you select Specify, you can enter up to two DNS servers (IPv4 or IPv6) to be
provided for the use of clients.

IPv6 DNS Server #1 If you select Specify, you can enter up to two DNS servers (IPv4 or IPv6) to be
provided for the use of clients.

IPv6 DNS Server #2 If you select Specify, you can enter up to two DNS servers (IPv4 or IPv6) to be
provided for the use of clients.

Specify WINS Servers Move the slider to access options for entering up to two WINS servers (IPv4 or
IPv6) to be provided for the use of clients.

FortiProxy 7.0 Administration Guide 364

Fortinet Inc.
 VPN

WINS Server #1 If you enabled Specify WINS Server, you can enter up to two WINS servers (IPv4
or IPv6) to be provided for the use of clients.

WINS Server #2 If you enabled Specify WINS Server, you can enter up to two WINS servers (IPv4
or IPv6) to be provided for the use of clients.

IPv6 WINS Server #1 If you enabled Specify WINS Server, you can enter up to two WINS servers (IPv4
or IPv6) to be provided for the use of clients.

IPv6 WINS Server #2 If you enabled Specify WINS Server, you can enter up to two WINS servers (IPv4
or IPv6) to be provided for the use of clients.

Create New Creates an authentication/portal mapping. See Create or edit an

authentication/portal mapping on page 366.

Edit Modifies the selected authentication/portal mapping. See Create or edit an

authentication/portal mapping on page 366.

Delete Removes the selected authentication/portal mapping.

Send SSL-VPN Configuration Click to email the SSL-VPN configuration.

API Preview The API Preview allows you to view all REST API requests being used by the
page. You can make changes on the page that are reflected in the API request
preview. This feature is not available if the user is logged in as an administrator
that has read-only GUI permissions.

Edit in CLI Click to open a CLI console window to view and edit the setting in the CLI. If there
are multiple CLI settings on the page, the CLI console shows the first setting.

To use the API Preview:

1. Click API Preview. The API Preview pane opens, and the values for the fields are visible (data). If a new object is
being created, the POST request is shown.
2. Enable Show modified changes only to show the modified changes instead of the full configuration in the preview.
3. Click Copy to Clipboard to copy the JSON code shown on the preview screen to the clipboard.
4. Click Close to leave the preview.

Dual-stack IPv4 and IPv6 support for SSL VPN

Dual-stack IPv4 and IPv6 support for SSL-VPN servers and clients enables a client to establish a dual-stack tunnel to
allow both IPv4 and IPv6 traffic to pass through. Starting in FortiProxy 7.0.0, FortiProxy SSL-VPN clients also support
dual stack, which allows it to establish dual stack tunnels with other FortiProxy units.
Users connecting in web mode can connect to the web portal over IPv4 or IPv6. They can access bookmarks in either
IPv4 or IPv6, depending on the preferred DNS setting of the web portal.

To enable dual stack in the CLI:

config vpn ssl settings

set dual-stack-mode enable
end

FortiProxy 7.0 Administration Guide 365

Fortinet Inc.
 VPN

Create or edit an authentication/portal mapping

Select Create New to open the New Authentication/Portal Mapping page.

Configure the following settings and then click OK:

Users/Groups Select + to choose which users and user groups to add.

Realm Select Default realm or Specify. If you select Specify, select a realm from the
drop-down list.

Portal Select an SSL-VPN portal from the drop-down list. To create an SSL-VPN portal,
see Create or edit an SSL-VPN portal on page 357.

SSL-VPN Personal Bookmarks

The administrator has the ability to view bookmarks the remote client has added to the remote clientʼs SSL-VPN login in
the bookmarks widget. This enables the administrator to monitor and, if needed, remove unwanted bookmarks that do
not meet with corporate policy.
To view and maintain remote client bookmarks, go to VPN > SSL-VPN Personal Bookmarks.

To enable personal bookmarks:

1. Go to System > Feature Visibility.

2. Enable SSL-VPN Personal Bookmark Management.
3. Click Apply.
To view the list of personal bookmarks, go to VPN > SSL-VPN Personal Bookmarks.

FortiProxy 7.0 Administration Guide 366

Fortinet Inc.
VPN

Hover over the leftmost edge of the column heading to display the Configure Table icon, which you can use to select the
columns to display or to reset all the columns to their default settings. You can also drag column headings to change
their order.
The following options are available:

View Select a bookmark and then select View to see the bookmark target.

Clear All Select Clear All to delete all personal bookmarks.

Delete Select a bookmark and then select Delete to remove the selected bookmark.

Search Enter a search term to find in the list.

User The user who created the bookmark.

User Group The user groups that have access to the bookmark.

Bookmarks The IP address source.

SSL-VPN Realms

You can go to VPN > SSL-VPN Realms and create custom login pages for your SSL-VPN users. You can use this
feature to customize the SSL-VPN login page for your users and also to create multiple SSL-VPN logins for different user
groups.
To view the list of available SSL-VPN realms, go to VPN > SSL-VPN Realms.

Hover over the leftmost edge of the column heading to display the Configure Table icon, which you can use to select the
columns to display or to reset all the columns to their default settings. You can also drag column headings to change
their order.
The following options are available:

Create New Create an SSL-VPN realm. See Create or edit an SSL-VPN realm on page 368.

Edit Modify the selected SSL-VPN realm. See Create or edit an SSL-VPN realm on
page 368.

Delete Delete the selected SSL-VPN realm.

Search Enterr a search term to find in the list.

URL Path The actual path for the custom login page.

Virtual Host The virtual host name for this realm.

Max Concurrent Users The maximum number of users that can access the custom login at any given
time.

FortiProxy 7.0 Administration Guide 367

Fortinet Inc.
 VPN

Ref. Displays the number of times the object is referenced to other objects.
To view the location of the referenced object, select the number in Ref.; the Object
Usage window opens and displays the various locations of the referenced object.

Create or edit an SSL-VPN realm

Select Create New to open the New SSL-VPN Realm window.

Select an SSL-VPN realm and then click Edit to open the Edit SSL-VPN Realm window.
Configure the following settings in the New SSL-VPN Realm window or Edit SSL-VPN Realm window and then click OK:

URL Path Enter the URL path to access the SSL-VPN login page. Do not include “http://”.

Limit Concurrent Users Move the slider to limit the number of users that can access the custom login at
any given time and then enter the maximum number of users.

Customize Login Page Enable if you want to change the login page for the SSL-VPN realm, click Edit,
and then make your changes in the text/html column.

Restore Defaults Select this option to undo your changes to the login page.

To configure SSL-VPN realms using the GUI:

1. Configure a custom SSL VPN login by going to VPN > SSL-VPN Realms and selecting Create New. Users access
different portals depending on the URL they enter.
2. Configure the settings and click OK.

FortiProxy 7.0 Administration Guide 368

Fortinet Inc.
VPN

3. After adding the custom login, you must associate it with the users that will access the custom login. Go to VPN >
SSL-VPN Settings. Under Authentication/Portal Mapping, select Create New and select the user groups and the
associated realm.
4. Click OK to save the authentication/portal mapping.
5. Click Apply to save your changes to the SSL-VPN settings.

FortiProxy 7.0 Administration Guide 369

Fortinet Inc.
User & Authentication

The User & Authentication menu allows you to configure user accounts, user groups, guests, authentication settings,
and FortiTokens.
FortiProxy units support the use of external authentication servers. An authentication server can provide password
checking for selected FortiProxy users, or it can be added as a member of a FortiProxy user group.
NOTE: If you are going to use authentication servers, you must configure the servers before you configure the
FortiProxy users or user groups that require them.
This section describes the following topics:
l User Definition on page 370
l User Groups on page 375
l Guest Management on page 379
l LDAP Servers on page 381
l RADIUS Servers on page 384
l TACACS+ Servers on page 386
l Kerberos on page 389
l SAML on page 390
l FortiTokens on page 394

User Definition

A user is defined in a user account that consists of a user name, password and, in some cases, other information that
can be configured on the unit or on an external authentication server. Users can access resources that require
authentication only if they are members of an allowed user group.
A local user is a user configured on a unit. The user can be authenticated with a password stored on the unit or with a
password stored on an authentication server. The user name must match a user account stored on the unit, and the user
name and password must match a user account stored on the authentication server associated with the user.
Go to User & Authentication > User Definition and select Create New to create new users with the Users/Groups
Creation Wizard.
To configure users, go to User & Authentication > User Definition.

Hover over the leftmost edge of the column heading to display the Configure Table icon, which you can use to select the
columns to display or to reset all the columns to their default settings. You can also drag column headings to change
their order.

FortiProxy 7.0 Administration Guide 370

Fortinet Inc.
 User & Authentication

The following options are available:

Create New Run the Users/Groups Creation Wizard and create a user. You can also use the
wizard to create new groups. See Create a user on page 371.

Edit User Edit a user. See Edit a user on page 374.

Clone Make a copy of a user.

Delete Delete a user or users.

Search Enter a search term to find in the user list.

User Name The name of the user.

Type The type of user, such as Local or LDAP.

Two-factor Authentication Displays whether the user has token two-factor authentication enabled.

Ref. Displays the number of times the object is referenced to other objects.
To view the location of the referenced object, select the number in Ref.; the Object
Usage window opens and displays the various locations of the referenced object.

Create a user

Use the Users/Groups Creation Wizard to create user accounts. From the User Definition page, select Create New to
start the wizard.

To create a local user:

1. In the User Type page, select Local User and then select Next.
2. In the Login Credentials page, enter a user name and password for the new user and then select Next.
3. In the Contact Info page, enter an email address for the user and then select Next. Alternatively, you can supply the
userʼs SMS contact information. To assign a FortiToken to the user, enable Two-factor Authentication and select a
token from the drop-down menu provided. The Contact Info page is optional.
4. In the Extra Info page, select Enabled to make the new user active. To place the user into a group, enable User
Group and then select a group from the drop-down menu. For information on user groups, see Create or edit a user
group on page 377.
5. Select Submit to create the new local user.

To create a remote RADIUS user:

1. In the User Type page, select Remote RADIUS User and then select Next.
2. In the RADIUS Server page, enter a user name, select a RADIUS server from the drop-down menu, and then select
Next. For information on RADIUS servers, see Create or edit a RADIUS server on page 385.
3. In the Contact Info page, enter an email address for the user and then select Next. Alternatively, you can supply the
userʼs SMS contact information. To assign a FortiToken to the user, enable Two-factor Authentication and select a
token from the drop-down menu provided. The Contact Info page is optional.
4. In the Extra Info page, select Enabled to enable the new user. To place the user into a group, enable User Group
and then select a group from the drop-down menu. For information on user groups, see Create or edit a user group

FortiProxy 7.0 Administration Guide 371

Fortinet Inc.
User & Authentication

on page 377.
5. Select Submit to create the new RADIUS user.

To create a remote TACACS+ user:

By default, the TACACS+ Servers option under User & Device is not visible unless you add a
server using the following CLI command:
config user tacacs+
edit <name>
set server <IP_address>
next
end

1. In the User Type page, select Remote TACACS+ User and then select Next.
2. In the TACACS+ Server page, enter a user name, select a TACACS+ server from the drop-down menu, and then
select Next. For information on TACACS+ servers, see Create or edit a TACACS server on page 388
3. In the Contact Info page, enter an email address for the user and then select Next. Alternatively, you can supply the
userʼs SMS contact information. To assign a FortiToken to the user, enable Two-factor Authentication and select a
token from the drop-down menu provided. The Contact Info page is optional.
4. In the Extra Info page, select Enabled to enable the new user. To place the user into a group, enable User Group
and then select a group from the drop-down menu. For information on user groups, see Create or edit a user group
on page 377.
5. Select Submit to create the new TACACS+ user.

To create a remote LDAP user:

1. In the User Type page, select Remote LDAP User and then select Next.
2. In the LDAP Server page, select an existing LDAP server from the drop-down menu or create an LDAP server and
then select Next. To create an LDAP server, select the Create New icon in the drop-down menu, enter the required
information, and then click OK. For information on LDAP servers, see Create or edit an LDAP server on page 382.
3. In the Remote Users page, enter and apply the LDAP filter, enter a search term to search the server, and select a
user from the results.
4. Select Submit to create the remote LDAP user.

To use Fortinet Single Sign-On (FSSO):

1. In the User Type page, select FSSO and then select Next.
2. In the Remote Groups page, select the FSSO agent, select an AD group, and then select Next.
To create an AD group, see To create an AD group:.
3. In the Local Group page, select Choose Existing or Create New.
If you select Choose Existing, select the FSSO group name from the drop-down menu.
If you select Create New, enter the name of the FSSO group in the field.
4. Select Submit to use FSSO.
5. Click OK in the confirmation dialog box.

FortiProxy 7.0 Administration Guide 372

Fortinet Inc.
User & Authentication

To create an AD group:

config user adgrp

edit <AD_group_name>
set server-name <FSSO_agent_name>
next
end

For example:
config user adgrp
edit adgroup1
set server-name NewFSSOserver
next
end

To enable DNS service lookup:

config user domain-controller

edit "win2016"
set ad-mode ds
set dns-srv-lookup enable
set hostname "win2016"
set username "replicate"
set password **********
set domain-name "SMB2016.LAB"
next
end

To specify the source IP and port for the fetching domain controller:

config user domain-controller

edit "win2016"
set ad-mode ds
set hostname "win2016"
set username "replicate"
set password **********
set ip-address 172.18.52.188
set source-ip-address 172.16.100.1
set source-port 2000
set domain-name "SMB2016.LAB"
next
end

To use an LDAP server as a credential store:

1. Configure the LDAP server:

config user ldap
edit "openldap"
set server "172.18.60.214"
set cnid "cn"
set dn "dc=qafsso,dc=com"
set type regular
set username "cn=Manager,dc=qafsso,dc=com"

FortiProxy 7.0 Administration Guide 373

Fortinet Inc.
 User & Authentication

set password **********

set antiphish enable
set password-attr "userPassword"
next
end

2. Configure the web filter profile:

config webfilter profile
edit "webfilter"
config ftgd-wf
unset options
config filters
edit 1
set action block
next
end
end
config antiphish
set status enable
config inspection-entries
edit "cat34"
set fortiguard-category 34
set action block
next
end
set authentication ldap
set ldap "openldap"
end
set log-all-url enable
next
end

To configure Active Directory in LDS mode:

config user domain-controller

edit "win2016adlds"
set ad-mode lds
set hostname "win2016adlds"
set username "foo"
set password **********
set ip-address 192.168.10.9
set domain-name "adlds.local"
set adlds-dn "CN=adlds1part1,DC=ADLDS,DC=COM"
set adlds-ip-address 192.168.10.9
set adlds-port 3890
next
end

Edit a user

To edit a user:

1. Select the user you want to edit and then click Edit User from the toolbar or double-click on the user in the table. The
Edit User window opens.

FortiProxy 7.0 Administration Guide 374

Fortinet Inc.
User & Authentication

2. Edit the user information as required or select Disabled to disable the user account.
3. Click OK to apply your changes.

User Groups

A user group is a list of user identities. An identity can be one of the following:
l a local user account (user name and password) stored on the Fortinet unit
l a local user account with a password stored on a RADIUS, LDAP, or TACACS+ server
l a RADIUS, LDAP, or TACACS+ server (all identities on the server can authenticate)
l a user or user group defined on a Directory Service server
There are four types of user groups:
l Firewall
l Fortinet Single Sign-On (FSSO)
l RADIUS Single Sign-On (RSSO)
l Guest
For each resource that requires authentication, you specify which user groups are permitted access. You need to
determine the number and membership of user groups appropriate to your authentication needs.
Users that are associated with multiple groups have access to all services within those user groups. This access is only
available in the CLI with the auth-multi-group command, which is enabled by default. This feature checks all groups
a user belongs to for firewall authentication.

FortiProxy 7.0 Administration Guide 375

Fortinet Inc.
User & Authentication

To configure user groups, go to User & Authentication > User Groups.

Hover over the leftmost edge of the column heading to display the Configure Table icon, which you can use to select the
columns to display or to reset all the columns to their default settings. You can also drag column headings to change
their order.
The following options are available:

Create New Create a user group. See Create or edit a user group on page 377.

Edit Edit a user group. See Create or edit a user group on page 377.

Clone Make a copy of a user group.

Delete Delete a group or groups.

Search Enter a search term to search the user group list.

Group Name The name of the user group.

Group Type The type of group: Firewall, Fortinet Single Sign-On (FSSO), RADIUS Single-
Sign-On (RSSO), or Guest.

Members The names of the members in the group.

Ref. Displays the number of times the object is referenced to other objects.
To view the location of the referenced object, select the number in Ref.; the Object
Usage window opens and displays the various locations of the referenced object.

FortiProxy 7.0 Administration Guide 376

Fortinet Inc.
 User & Authentication

Create or edit a user group

To create a user group:

1. In the user group list, select Create New from the toolbar. The Create User Group window opens.

2. Enter a name for the group in the Name field.

3. Select the group type in the Type field, one of: Firewall, Fortinet Single Sign-On (FSSO), RADIUS Single-Sign-On
(RSSO), or Guest.
4. Enter the following information, depending on the group type selected:

Firewall This type of group can be selected in any security policy that requires firewall
authentication.

Logic Type Select whether OR or AND logic is used for matching memberships of a user
group.

Members If you selected a Firewall user group, select users to add to the group from the
drop-down list.

Fortinet Single Sign-On This type of group can be selected in any security policy that requires FSSO
(FSSO) authentication.

Logic Type Select whether OR or AND logic is used for matching memberships of a user
group.

Members If you selected the FSSO user group, select users to add to the group from the
drop-down list.

RADIUS Single Sign-On This type of group can be selected in any security policy that requires RSSO
(RSSO) authentication.

RADIUS Attribute Value If you selected the RSSO user group, enter the RADIUS attribute value. This
value matches the value from the RADIUS Accounting-Start attribute.

FortiProxy 7.0 Administration Guide 377

Fortinet Inc.
User & Authentication

Guest This type of group can be selected in any security policy that allows guest
authentication.

Batch Guest Account If you selected the Guest user group, enable the creation of batches of guest
Creation accounts.
When enabled, only the Maximum Accounts, Start Countdown, and Time
options are available.

User ID If you selected the Guest user group, select a user identifier option:
l Email: The user identifier is emailed.

l Auto Generated: The user identifier is generated automatically.

l Specify: The user identifier must be specified.

Maximum Accounts If you selected the Guest user group, enable Maximum Accounts to limit how
many accounts exist and then enter the maximum number in the field.

Require Name If you selected the Guest user group, enable Require Name to require names
for guests.

Require Email If you selected the Guest user group, enable Require Email to require email
addresses for guests.

Require SMS If you selected the Guest user group, enable Require SMS to require SMS
contact information for guests.

Password If you selected the Guest user group, enable Password to require passwords
for guests and then select a password option:
l Auto Generated: The password is generated automatically.

l Specify: The password must be specified.

Sponsor If you selected the Guest user group, enable Sponsor and select Required to
make a sponsor a requirement for guests.

Company If you selected the Guest user group, enable Company and select Required to
make a company a requirement for guests.

Start Countdown If you selected the Guest user group, select when the expiration countdown
begins for the user group, either On account Creation or After first login.

Time If you selected the Guest user group, select the expiration time for the user
group in Days, Hours, Minutes, and Seconds.

5. Click OK to create the new user group.

To edit a user group:

1. Select the group you want to edit and then click Edit from the toolbar or double-click on the group in the table. The
Edit User Group window opens.
2. Edit the information as required and then click OK to apply your changes.

FortiProxy 7.0 Administration Guide 378

Fortinet Inc.
User & Authentication

Guest Management

Visitors to your premises might need user accounts on your network for the duration of their stay. If you are hosting a
large event such as a conference, you might need to create many such temporary accounts. The FortiProxy Guest
Management feature is designed for this purpose.
A guest user account User ID can be the userʼs email address, a randomly generated string, or an ID that the
administrator assigns. Similarly, the password can be administrator-assigned or randomly generated.
You can create many guest accounts at the same time using randomly generated User IDs and passwords. This reduces
administrator workload for large events.
To set up guest user access, you need to create at least one guest user group and add guest user accounts. Optionally,
you can create a guest management administrator whose only function is the creation of guest accounts in specific guest
user groups. Otherwise, any administrator can do guest management.
To manage guest access, go to User & Authentication > Guest Management.
NOTE: You must create a user group with the Guest group type before the toolbar is displayed on the Guest
Management page.

Hover over the leftmost edge of the column heading to display the Configure Table icon, which you can use to select the
columns to display or to reset all the columns to their default settings. You can also drag column headings to change
their order.
The following options are available:

Create New > User Create a guest user account. See Create or edit a guest user account on page
380.

Create New > Multiple Users Create more than one guest user account at the same time. See Create multiple
guest user accounts on page 380.

Edit Modify a guest user account. See Create or edit a guest user account on page
380.

Delete Remove the selected guest user account.

Purge Remove all expired accounts from the list.

Print Print the network guest access credentials, including the user identifiers,
passwords, and expiration date and time.

Search Enter a search term to find in the guest user list

User ID An automatically generated number to identify the guest user.

FortiProxy 7.0 Administration Guide 379

Fortinet Inc.
 User & Authentication

Expires Date and time when the guest user account becomes inactive.

Comments An optional description of the guest user account.

Create or edit a guest user account

Select Create New > User to open the New User page.

Select a guest user account and then click Edit to open the Edit User page.
Configure the following settings in the New User page or Edit User page and then click OK:

User ID The user identifier is automatically generated when you create a guest user
account, but you can edit it.

Password The password is automatically generated when you create a guest user account,
but you can edit it.

Expiration Date and time when the guest user account becomes inactive.

Comments An optional description of the guest user account.

Create multiple guest user accounts

Select Create New > Multiple Users to open the New User page.

FortiProxy 7.0 Administration Guide 380

Fortinet Inc.
User & Authentication

Configure the following settings in the New User page and then click OK:

Number of Accounts Enter the number of guest user accounts that you want to create.

Expiration Date and time when the guest user accounts become inactive.

LDAP Servers

LDAP is an Internet protocol used to maintain authentication data that can include departments, people, groups of
people, passwords, email addresses, and printers. LDAP consists of a data-representation scheme, a set of defined
operations, and a request/response network.
To manage LDAP servers, go to User & Authentication > LDAP Servers.

Hover over the leftmost edge of the column heading to display the Configure Table icon, which you can use to select the
columns to display or to reset all the columns to their default settings. You can also drag column headings to change
their order.
The following options are available:

Create New Create an LDAP server. See Create or edit an LDAP server on page 382.

Edit Modify an LDAP server. See Create or edit an LDAP server on page 382.

Clone Make a copy of an LDAP server.

Delete Remove a server or servers.

Search Enter a search term to find in the LDAP server list.

Name The name that identifies the LDAP server on the Fortinet unit.

Server The domain name or IP address of the LDAP server.

FortiProxy 7.0 Administration Guide 381

Fortinet Inc.
 User & Authentication

Port The TCP port used to communicate with the LDAP server. By default, LDAP uses
port 389.

Common Name Identifier The common name identifier for the LDAP server.

Distinguished Name The base distinguished name for the server using the correct X.500 or LDAP
format. The unit passes this distinguished name unchanged to the server.

Ref. Displays the number of times the object is referenced to other objects.
To view the location of the referenced object, select the number in Ref.; the Object
Usage window opens and displays the various locations of the referenced object.

Create or edit an LDAP server

To add a new LDAP server:

1. In the LDAP server list, select Create New from the toolbar. The Create LDAP Server window opens.

FortiProxy 7.0 Administration Guide 382

Fortinet Inc.
User & Authentication

2. Configure the following:

Name Enter the name that identifies the LDAP server on the FortiProxy unit.

Server IP/Name Enter the domain name or IP address of the LDAP server.

Server Port Enter the TCP port used to communicate with the LDAP server. By default,
LDAP uses port 389.
If you use a secure LDAP server, the default port changes if you select Secure
Connection.

Common Name Identifier Enter the common name identifier for the LDAP server. The maximum number
of characters is 20.

Distinguished Name Enter the base distinguished name for the server using the correct X.500 or
LDAP format. The unit passes this distinguished name unchanged to the
server. The maximum number of characters is 512. You can also select
Browse to contact and retrieve the specified LDAP server.

Bind Type Select the type of binding for LDAP authentication.

l Simple: Connect directly to the LDAP server with user name/password

authentication.
l Anonymous: Connect as an anonymous user on the LDAP server and
then retrieve the user name/password and compare them to given values.
l Regular: Connect to the LDAP server directly with user name and
password and then receive acceptance or rejection based on search of
given values. Enter the user name and password of the user to be
authenticated in the Username and Password fields.

Secure Connection Enable to use a secure LDAP server connection for authentication.

Protocol If you enabled Secure Connection, select a secure LDAP protocol to use for
authentication, either STARTTLS or LDAPS.
Depending on your selection, the server port changes to the default port for the
selected protocol:
l STARTTLS: port 389

l LDAPS: port 636

Certificate If you enabled Secure Connection,select a certificate to use for authentication

from the list.

Test Connectivity Select Test Connectivity to test if the LDAP server can be contacted.

3. Click OK to create the new LDAP server.

To edit an LDAP server:

1. Select the LDAP server you want to edit and then click Edit from the toolbar or double-click on the address in the
address table. The Edit LDAP Server window opens.
2. Edit the server information as required and click OK to apply your changes.

FortiProxy 7.0 Administration Guide 383

Fortinet Inc.
User & Authentication

RADIUS Servers

RADIUS is a broadly supported client server protocol that provides centralized authentication, authorization, and
accounting functions. RADIUS clients are built into gateways that allow access to networks such as Virtual Private
Network (VPN) servers, Network Access Servers (NASs), as well as network switches and firewalls that use
authentication. FortiProxy units fall into the last category.
RADIUS servers use UDP packets to communicate with the RADIUS clients on the network to do the following:
l Authenticate users before allowing them access to the network
l Authorize access to resources by appropriate users
l Account or bill for those resources that are used
RADIUS servers are currently defined by RFC 2865 (RADIUS) and RFC 2866 (Accounting). They listen on either UDP
ports 1812 (authentication) and 1813 (accounting) or ports 1645 (authentication) and 1646 (accounting) requests.
RADIUS servers exist for all major operating systems.
You must configure the RADIUS server to accept the FortiProxy unit as a client. FortiProxy units use the authentication
and accounting functions of the RADIUS server.
When a configured user attempts to access the network, the FortiProxy unit forwards the authentication request to the
RADIUS server, which then matches the user name and password remotely. After authentication succeeds, the RADIUS
server passes the Authorization Granted message to the FortiProxy unit, which then grants the user permission to
access the network.
The RADIUS server uses a “shared secret” key, along with MD5 hashing, to encrypt information passed between
RADIUS servers and clients, including the FortiProxy unit. Typically, only user credentials are encrypted.
To manage RADIUS servers, go to User & Authentication > RADIUS Servers.

Hover over the leftmost edge of the column heading to display the Configure Table icon, which you can use to select the
columns to display or to reset all the columns to their default settings. You can also drag column headings to change
their order.
The following options are available:

Create New Create a RADIUS server. See Create or edit a RADIUS server on page 385.

Edit Modify a RADIUS server. See Create or edit a RADIUS server on page 385.

Clone Make a copy of a RADIUS server.

Delete Remove a server or servers.

Search Enter a search term to find in the RADIUS server list.

Name The name that identifies the RADIUS server on the unit.

Server IP/Name The domain name or IP address of the primary and, if applicable, secondary,
RADIUS server.

FortiProxy 7.0 Administration Guide 384

Fortinet Inc.
 User & Authentication

Ref. Displays the number of times the object is referenced to other objects.
To view the location of the referenced object, select the number in Ref.; the Object
Usage window opens and displays the various locations of the referenced object.

Create or edit a RADIUS server

To add a RADIUS server:

1. In the RADIUS server list, select Create New from the toolbar. The New RADIUS Server window opens.

FortiProxy 7.0 Administration Guide 385

Fortinet Inc.
User & Authentication

2. Configure the following:

Name Enter the name that is used to identify the RADIUS server on the FortiProxy
unit.

Primary Server IP/Name Enter the domain name or IP address of the primary RADIUS server.

Primary Server Secret Enter the RADIUS server secret key for the primary RADIUS server. The
primary server secret key length can be up to a maximum of 16 characters.
For security reason, it is recommended that the server secret key be the
maximum length.

Test Connectivity Select Test Connectivity to test if the primary and secondary RADIUS servers
can be contacted using the domain name or IP address and secret provided.

Secondary Server IP/Name Enter the domain name or IP address of the secondary RADIUS server, if
applicable.

Secondary Server Secret Enter the RADIUS server secret key for the secondary RADIUS server. The
secondary server secret key can be up to a maximum length of 16 characters.

Authentication Method Select Default to authenticate with the default method.

Select Specify to override the default authentication method and then select
the protocol from the list: MSCHAP-v2, MS-CHAP, CHAP, or PAP.

NAS IP Optionally, enter the NAS IP address (RADIUS Attribute 31, outlined in RFC
2548).
In this configuration, the FortiProxy unit is the NAS, which is how the RADIUS
server registers all valid servers that use its records.
If you do not enter an IP address, the IP address that the Fortinet interface
uses to communicate with the RADIUS server is applied.

Include in every User Group Enable to have the RADIUS server automatically included in all user groups.

3. Click OK to create the new RADIUS server.

To edit a RADIUS server:

1. Select the RADIUS server you want to edit and then click Edit from the toolbar or double-click on the address in the
address table. The Edit RADIUS Server window opens.
2. Edit the server information as required and click OK to apply your changes.

TACACS+ Servers

TACACS+ is a remote authentication protocol that provides access control for routers, network access servers, and
other networked computing devices through one or more centralized servers. TACACS+ allows a client to accept a user
name and password and send a query to a TACACS+ authentication server. The server host determines whether to
accept or deny the request and sends a response back that allows or denies the user access to the network.
TACACS+ offers fully encrypted packet bodies and supports both IP and AppleTalk protocols. TACACS+ uses TCP port
49, which is seen as more reliable than RADIUSʼs UDP.

FortiProxy 7.0 Administration Guide 386

Fortinet Inc.
User & Authentication

By default, the TACACS+ Servers option under User & Device is not visible unless you add a
server using the following CLI command:
config user tacacs+
edit <name>
set server <IP_address>
next
end

To manage TACACS+ servers, go to User & Authentication > TACACS+ Servers.

Hover over the leftmost edge of the column heading to display the Configure Table icon, which you can use to select the
columns to display or to reset all the columns to their default settings. You can also drag column headings to change
their order.
The following options are available:

Create New Create a TACACS+ server. See Create or edit a TACACS server on page 388.

Edit Modify a TACACS+ server. See Create or edit a TACACS server on page 388.

Clone Make a copy of a TACACS+ server.

Delete Remove a server or servers.

Search Enter a search term to find in the TACACS+ server list.

Name The name that identifies the TACACS+ server on the unit.

Server The domain name or IP address of the TACACS+ server.

Authentication Type The authentication type used by the server.

Ref. Displays the number of times the object is referenced to other objects.
To view the location of the referenced object, select the number in Ref.; the Object
Usage window opens and displays the various locations of the referenced object.

FortiProxy 7.0 Administration Guide 387

Fortinet Inc.
 User & Authentication

Create or edit a TACACS server

To add a TACACS+ server:

1. In the TACACS+ server list, select Create New from the toolbar. The New TACACS+ Server window opens.

2. Configure the following:

Name Enter the name of the TACACS+ server.

Server IP/Name Enter the server domain name or IP address of the TACACS+ server.

Server Secret Enter the key to access the TACACS+ server. The server key can be a
maximum of 16 characters in length.

Authentication Type Select the authentication type to use for the TACACS+ server: Auto,
MSCHAP, CHAP, PAP, or ASCII.
Auto authenticates using PAP, MSCHAP, and CHAP, in that order. For more
information, see Authentication protocols.

3. Click OK to create the new TACACS+ server.

To edit a TACACS+ server:

1. Select the TACACS+ server you want to edit and then click Edit from the toolbar or double-click on the address in
the address table. The Edit TACACS+ Server window opens.
2. Edit the server information as required and click OK to apply your changes.

Authentication protocols

ASCII Machine-independent technique that uses representations of English characters.

Requires user to type a user name and password that are sent in clear text
(unencrypted) and matched with an entry in the user database, which is stored in
ASCII format.

PAP Password Authentication Protocol (PAP). Used to authenticate PPP connections.

Transmits passwords and other user information in clear text.

FortiProxy 7.0 Administration Guide 388

Fortinet Inc.
User & Authentication

CHAP Challenge-Handshake Authentication Protocol (CHAP). Provides the same

functionality as PAP but is more secure because it does not send the password
and other user information over the network to the security server.

MSCHAP Microsoft Challenge-Handshake Authentication Protocol v1 (MSCHAP).

Microsoft-specific version of CHAP.

Auto The default protocol configuration, Auto, uses PAP, MSCHAP, and CHAP, in that
order.

Kerberos

Kerberos authentication is a method for authenticating both explicit web proxy and transparent web proxy users. It has
several advantages over NTLM challenge response:
l Does not require FSSO/AD agents to be deployed across domains.
l Requires fewer round-trips than NTLM SSO, making it less latency sensitive.
l Is (probably) more scalable than challenge response.
l Uses existing Windows domain components rather than added components.
l NTLM may still be used as a fallback for non-Kerberos clients.
To configure Kerberos authentication service, go to User & Authentication > Kerberos.

Hover over the leftmost edge of the column heading to display the Configure Table icon, which you can use to select the
columns to display or to reset all the columns to their default settings. You can also drag column headings to change
their order.
The following options are available:

Create New Create a Kerberos authentication service. See Create or edit a Kerberos
authentication service on page 390.

Edit Modify a Kerberos authentication service. See Create or edit a Kerberos

authentication service on page 390.

Delete Remove a Kerberos authentication service or services.

Name The name of the Kerberos authentication service.

Principal The server domain name of the Kerberos authentication service.

LDAP Server The name of the LDAP server used for authorization.

Ref. Displays the number of times the object is referenced to other objects.
To view the location of the referenced object, select the number in Ref.; the Object
Usage window opens and displays the various locations of the referenced object.

FortiProxy 7.0 Administration Guide 389

Fortinet Inc.
 User & Authentication

Create or edit a Kerberos authentication service

To add a new Kerberos authentication service:

1. In the Kerberos service list, select Create New from the toolbar. The New Kerberos window opens.

2. Configure the following:

Name Enter the name of the Kerberos authentication service.

Principal Enter the server domain name of the Kerberos authentication service.

LDAP Server Enter the name of the LDAP server used for authorization.

Keytab File Select Upload and then navigate to the file that contains the shared secret.
Use the ktpass command (found on Windows servers and many domain
workstations) to generate the Kerberos keytab.

Parsing PAC Data Move the slider if you want to use proxy auto-config (PAC).

3. Click OK to create the new Kerberos authentication service.

To edit the Kerberos authentication service:

1. Select the Kerberos authentication service you want to edit and then click Edit from the toolbar or double-click on
the service in the service table. The Edit Kerberos window opens.
2. Edit the service information as required and click OK to apply your changes.

SAML

Security Assertion Markup Language (SAML) is an XML-based, open-standard data format for exchanging
authentication and authorization data between two security domains: an Identity Provider (IdP) and a Service Provider
(SP). The FortiProxy unit supports the SAML protocol and will act as a Service Provider.

FortiProxy 7.0 Administration Guide 390

Fortinet Inc.
User & Authentication

In SAML-SP authentication, the FortiProxy unit redirects unauthenticated users to the IdP (FortiAuthenticator, Okta
Identity, Microsoft ADFS, or similar) for authentication. After the user is authenticated with the IdP, the user is redirected
to the FortiProxy unit with SAML assertion information using the POST method. The assertion information includes the
authentication result, user name, and group in attribute assertions (or claim in terms of ADFS). Based on that
information, the FortiProxy unit executes both authentication and authorization (matching the user to the group). If the
IdP is Microsoft ADFS, the FortiProxy unit supports resolving the user group information through the LDAP query with
Kerberos or NTLM authentication.
To manage SAML servers, go to User & Authentication > SAML.

Hover over the leftmost edge of the column heading to display the Configure Table icon, which you can use to select the
columns to display or to reset all the columns to their default settings. You can also drag column headings to change
their order.
The following options are available:

Create New Create a SAML server. See Create or edit a SAML server on page 392.

Edit Modify a SAML server. See Create or edit a SAML server on page 392.

Delete Remove a server or servers.

Name The name that identifies the SAML server on the Fortinet unit.

Entity ID The SP entity identifier.

Single Sign On URL The SP single sign-on URL.

Ref. Displays the number of times the object is referenced to other objects.
To view the location of the referenced object, select the number in Ref.; the Object
Usage window opens and displays the various locations of the referenced object.

ADFS Claim Enable or disable the ADFS claim for the user and group attributes in the
assertion statement.

digest-method Which algorithm is used for the digest method.

Group Claim Type The group claim in the assertion statement.

Group Name The group name in assertion statement.

IDP Entity ID The IDP entity identifier.

IDP Single Logout URL The IDP single logout URL.

IDP Single Sign On URL The IDP single sign-on URL.

Single Logout URL The SP single logout URL.

User Claim Type The user name claim in the assertion statement.

User Name The user name in the assertion statement.

FortiProxy 7.0 Administration Guide 391

Fortinet Inc.
 User & Authentication

Create or edit a SAML server

To add a new SAML server in the GUI:

1. In the SAML server list, click Create New from the toolbar. The Create SAML window opens.

FortiProxy 7.0 Administration Guide 392

Fortinet Inc.
User & Authentication

2. Configure the following:

Name Enter the name that identifies the SAML server on the FortiProxy unit.

Certificate Select the certificate to sign SAML messages.

Entity ID Enter the service provider entity identifier. The URL must start with http://
or https://.

Single Sign On URL Enter the service provider single sign-on URL. The URL must start with
http:// or https://.

Single Logout URL Enter the service provider single logout URL. The URL must start with
http:// or https://.

IDP Entity ID Enter t he identity provider entity identifier. The URL must start with http://
or https://.

IDP Single Sign On URL Enter the identity provider single sign-on UR. The URL must start with
http:// or https://.

IDP Single Logout URL Enter the identity provider single logout URL. The URL must start with
http:// or https://.

IDP Certificate Enter the identity provider certificate name.

User Name Enter the user name in the assertion statement.

Group Name Enter the group name in the assertion statement.

Digest Method Algorithm Select the algorithm used for the digest method.

ADFS Claim Enable or disable the ADFS claim for the user and group attributes in the
assertion statement.

User Claim Type Select the user name claim in the assertion statement.

Group Claim Type Select the group claim in the assertion statement.

3. Click OK to create the new SAML server.

To add a new SAML server in the CLI:

config user saml

edit <SAML_server_entry_name>
set cert <certificate_to_sign_SAML_messages>
set entity-id <service_provider_entity_ID>
set single-sign-on-url <service_provider_single_sign-on_URL>
set single-logout-url <service_provider_single_logout_URL>
set idp-entity-id <identity_provider_entity_ID>
set idp-single-sign-on-url <identity_provider_single_sign-on_URL>
set idp-single-logout-url <identity_provider_single_logout_URL>
set idp-cert <identity_provider_certificate_name>
set user-name <user_name_in_assertion_statement>
set group-name <group_name_in_assertion_statement>
set algo {sha1 | sh256}
set adfs-claim {enable | disable}
set limit-relaystate {enable | disable}
set user-claim-type {email | given-name | name | upn | common-name | email-adfs-1x |
group | upn-adfs-1x | role | sur-name | ppid | name-identifier | authentication-

FortiProxy 7.0 Administration Guide 393

Fortinet Inc.
User & Authentication

method | deny-only-group-sid | deny-only-primary-sid | deny-only-primary-group-

sid | group-sid | primary-group-sid | primary-sid | windows-account-name }
set group-claim-type {email | given-name | name | upn | common-name | email-adfs-1x |
group | upn-adfs-1x | role | sur-name | ppid | name-identifier | authentication-
method | deny-only-group-sid | deny-only-primary-sid | deny-only-primary-group-
sid | group-sid | primary-group-sid | primary-sid | windows-account-name}
next
end

To edit a SAML: server:

1. Select the SAML server you want to edit and then click Edit from the toolbar. The Edit SAML window opens.
2. Edit the server information as required and click OK to apply your changes.

FortiTokens

FortiToken is a disconnected one-time password (OTP) generator. It is a small physical device with a button that when
pressed displays a six digit authentication code. This code is entered with a user’s username and password as two-
factor authentication. The code displayed changes every 60 seconds, and, when not in use, the LCD screen is blanked
to extend the battery life.
There is also a mobile phone application, FortiToken Mobile, that performs much the same function.
FortiTokens have a small hole in one end. This is intended for a lanyard to be inserted so the device can be worn around
the neck, or easily stored with other electronic devices. Do not put the FortiToken on a key ring as the metal ring and
other metal objects can damage it. The FortiToken is an electronic device like a cell phone and must be treated with
similar care.
Any time information about the FortiToken is transmitted, it is encrypted. When the FortiProxy unit receives the code that
matches the serial number for a particular FortiToken, it is delivered and stored encrypted. This is in keeping with the
Fortinet’s commitment to keeping your network highly secured.
FortiTokens can be added to user accounts that are local, IPsec VPN, SSL VPN, and even Administrators. See
Associate FortiTokens with accounts on page 399.
A FortiToken can be associated with only one account on one FortiProxy unit.
If a user loses the FortiToken, it can be locked out using the FortiProxy unit so it will not be used to falsely access the
network. Later if found, that FortiToken can be unlocked on the FortiProxy unit to allow access once again. See
FortiToken maintenance on page 400.
To view a list of available FortiTokens, go to User & Device > FortiTokens.

Hover over the leftmost edge of the column heading to display the Configure Table icon, which you can use to select the
columns to display or to reset all the columns to their default settings. You can also drag column headings to change
their order.
The following options are available:

FortiProxy 7.0 Administration Guide 394

Fortinet Inc.
 User & Authentication

Create New Add a FortiToken to your FortiProxy unit. See Add or edit a FortiToken on page
397.

Edit Modify a FortiToken that was added to your FortiProxy unit. See Add or edit a
FortiToken on page 397.

Delete Remove a FortiToken from the list.

Activate Activate a FortiToken that was added to your FortiProxy unit. See Activate a
FortiToken on the FortiProxy unit on page 398.

Provision Notify the FortiToken provisioning server that the token has been assigned for
subsequent activation. The provisioning server sends an activation code to the
end user.

Refresh Update the data displayed.

Download Available Download FortiToken information.

Search Enter a search term to find in the FortiToken list.

Type The FortiToken type can be Hard Token or Mobile Token.

Serial Number The FortiToken serial number.

Status Whether the FortiToken has been assigned or activated.

User The user associated with the FortiToken.

Drift How many minutes the FortiToken time differs from the time on the FortiProxy
unit.

Comments An optional description of the FortiToken.

License The license for the mobile token.

FortiToken authentication process

There are three tasks to complete before FortiTokens can be used to authenticate accounts:
1. Add or edit a FortiToken on page 397
2. Activate a FortiToken on the FortiProxy unit on page 398
3. Associate FortiTokens with accounts on page 399

The following are the steps during FortiToken two-factor authentication:

1. The user attempts to access a network resource.
2. The FortiProxy unit matches the traffic to an authentication security policy, and the FortiProxy unit prompts the user
for user name and password.
3. The user enters the user name and password.
4. The FortiProxy unit verifies the information, and, if valid, prompts the user for the FortiToken code.
5. The user gets the current code from their FortiToken device.
6. The user enters current code at the prompt.
7. The FortiProxy unit verifies the FortiToken code, and, if valid, allows access to the network resources such as the
Internet.

FortiProxy 7.0 Administration Guide 395

Fortinet Inc.
 User & Authentication

The following steps are needed only if the time on the FortiToken has drifted and needs to be re-synchronized with
the time on the FortiProxy unit.
8. If time on FortiToken has drifted, the FortiProxy unit will prompt the user to enter a second code to confirm.
9. User gets the next code from their FortiToken device.
10. User enters the second code at the prompt.
11. The FortiProxy unit uses both codes to update its clock to match the FortiToken and then proceeds as in step 7.

When configured, the FortiProxy unit accepts the user name and password, authenticates them either locally or
remotely, and prompts the user for the FortiToken code. The FortiProxy unit then authenticates the FortiToken code.
When FortiToken authentication is enabled, the prompt field for entering the FortiToken code is automatically added to
the authentication screens.
Even when an Administrator is logging in through a serial or Telnet connection and their account is linked to a
FortiToken, that Administrator will be prompted for the token’s code at each login.

If you have attempted to add invalid FortiToken serial numbers, there will be no error
message. The serial numbers will simply not be added to the list.

FortiToken Mobile Push

A command under config system ftm-push allows you to configure the FortiToken Mobile Push services server
IP address and port number. The Push service is provided by Apple (APNS) and Google (GCM) for iPhone and Android
smartphones respectively. This service prevents tokens from becoming locked after an already enabled two-factor
authentication user has been disabled.

CLI syntax

config system ftm-push

set server-ip <ip-address>
set server-port [1-65535] // Default is 4433.
set status <enable | disable>
end

NOTE: The server-ip is the public IP address of the FortiProxy interface that the FTM will call back to; it is the IP
address used by the FortiProxy for incoming FTM calls.
In addition, FTM Push is supported on administrator login and SSL VPN login for both iOS and Android. If an SSL VPN
user authenticates with their token, then logs out and attempts to reauthenticate again within a minute, a new message
displays showing “Please wait x seconds to login again.” This replaces a previous error/permission denied message.
The “x” value depends on the calculation of how much time is left in the current time step.

CLI syntax

config system interface

edit <name>
set allowaccess ftm
next
end

FortiProxy 7.0 Administration Guide 396

Fortinet Inc.
 User & Authentication

The FortiProxy unit supports FTM Push notifications initiated by FortiAuthenticator when users
are attempting to authenticate through a VPN and/or RADIUS (with FortiAuthenticator as the
RADIUS server).

Migrate FortiToken Mobile users from FortiProxy to FortiToken Cloud

The execute fortitoken-cloud migrate-ftm <license> <vdom> command allows the migration of
FortiToken Mobile users from the FortiProxy unit to FortiToken Cloud. The FortiToken Cloud account must be using a
time-based subscription license. A request must be made to Fortinet Customer Service to initiate and pre-authorize the
transfer. All current active FortiToken Mobile users will be migrated to the FortiToken Cloud license with no changes to
the FortiToken Mobile serial number. The FortiProxy user or administrator's two-factor setting is automatically converted
from fortitoken to fortitoken-cloud. After migration, end users will be able to authenticate as before without any
changes to their FortiToken mobile app. See Migrate FTM tokens to FortiToken Cloud for more information.

Add or edit a FortiToken

Before one or more FortiTokens can be used to authenticate logons, they must be added to the FortiProxy unit. The
import feature is used to enter many FortiToken serial numbers at one time. The serial number file must be a text file with
one FortiToken serial number per line.

Both FortiToken Mobile and physical FortiTokens store their encryption seeds on the cloud;
therefore, you will only be able to register them to a single FortiProxy unit or FortiAuthenticator
unit.
Because FortiToken-200CD seed files are stored on the CD, these tokens can be registered
on multiple FortiProxy units and/or FortiAuthenticator units, but not simultaneously.

To manually add a FortiToken to the FortiProxy using the web-based manager:

1. Go to User & Authentication > FortiTokens.

2. Select Create New.
3. In Type, select Hard Token or Mobile Token.
4. Enter one or more FortiToken serial numbers (hard token) or activation codes (mobile token).
5. Click OK.

For mobile token, you receive the activation code in the license certificate after you purchase a
license.

To import multiple FortiTokens to the FortiProxy unit using the web-based manager:

1. Go to User & Authentication > FortiTokens.

2. Select Create New.
3. In Type, select Hard Token.
4. Select Import.

FortiProxy 7.0 Administration Guide 397

Fortinet Inc.
 User & Authentication

5. Select Serial Number File or Seed File, depending on which file you have.
6. Select Upload and browse to the local file location on your local computer.
7. Select Open. The file is imported.
8. Click OK.

To import FortiTokens to the FortiProxy unit from external Sources using the CLI:

FortiToken seed files (both physical and mobile versions) can be imported from either FTP or TFTP servers, or a USB
drive, allowing seed files to be imported from an external source more easily:
execute fortitoken import ftp <file name> <ip>[:ftp port] <Enter> <user> <password>
execute fortitoken import tftp <file name> <ip>
execute fortitoken import usb <file name>

To import seed files for FortiToken Mobile, replace fortitoken with fortitoken-mobile.

To add two FortiTokens to the FortiProxy unit using the CLI:

config user fortitoken

edit <serial_number>
next
edit <serial_number2>
next
end

To edit the settings for a FortiToken:

1. Go to User & Authentication > FortiTokens.

2. Select a FortiToken from the list.
3. Select Edit.
4. Change the comments and serial number as needed.
5. Click OK.

Activate a FortiToken on the FortiProxy unit

After one or more FortiTokens have been added to the FortiProxy unit, they must be activated before being available to
be associated with accounts. The process of activation involves the FortiProxy unit querying FortiGuard servers about
the validity of each FortiToken. The serial number and information is encrypted before it is sent for added security.

A FortiProxy unit requires a connection to FortiGuard servers to activate a FortiToken.

FortiProxy 7.0 Administration Guide 398

Fortinet Inc.
 User & Authentication

To activate a FortiToken on the FortiProxy unit using the web-based manager:

1. Go to User & Authentication > FortiTokens.

2. Select one or more FortiTokens with a status of Available.
3. Right-click the FortiToken entry and select Activate.
4. Select Refresh. The status of selected FortiTokens will change to Activated.

The selected FortiTokens are now available for use with user and admin accounts.

To activate a FortiToken on the FortiProxy unit using the CLI:

config user fortitoken

edit <token_serial_number>
set status active
next
end

Associate FortiTokens with accounts

The final step before using the FortiTokens to authenticate logons is associating a FortiToken with an account. The
accounts can be local user or administrator accounts.
NOTE: You cannot delete a FortiToken from the FortiToken list page if it is associated with a user account.

To add a FortiToken to a local user account using web-based manager:

1. Ensure that your FortiToken serial number has been added to the FortiProxy unit successfully, and its status is
Available.
2. Go to User & Authentication > User Definition, select the user account, and then click Edit User.
3. Enter the userʼs Email Address.
4. Enable Two-factor Authentication.
5. Select the user's FortiToken serial number from the Token list.
6. Click OK.

For mobile token, select Send Activation Code to be sent to the email address configured
previously. The user will use this code to activate the mobile token. An Email Service has to be
set under System > Advanced to send the activation code.

To add a FortiToken to a local user account using the CLI:

config user local

edit <username>
set type password
set passwd "myPassword"
set two-factor fortitoken
set fortitoken <serial_number>
set email-to "username@example.com"
set status enable
next
end

FortiProxy 7.0 Administration Guide 399

Fortinet Inc.
 User & Authentication

To add a FortiToken to an administrator account using the web-based manager:

1. Ensure that your FortiToken serial number has been added to the FortiProxy unit successfully, and its status is
Available.
2. Go to System > Administrators , select admin, and then click Edit. This account is assumed to be configured except
for two-factor authentication.
3. Enter admin's Email Address.
4. Enable Two-factor Authentication.
5. Select the user's FortiToken serial number from the Token list.
6. Click OK.

For mobile token, select Send Activation Code to be sent to the email address configured
previously. The admin will use this code to activate the mobile token. An Email Service has to
be set under System > Advanced to send the activation code.

To add a FortiToken to an administrator account using the CLI:

config system admin

edit <username>
set password "myPassword"
set two-factor fortitoken
set fortitoken <serial_number>
set email-to "username@example.com"
next
end

The fortitoken keyword is not visible until fortitoken is selected for the two-factor option.

Before a new FortiToken can be used, you might need to synchronize it due to clock drift.

FortiToken maintenance

After FortiTokens are entered into the FortiProxy unit, there are only two tasks to maintain them—changing the status
and synchronizing them if they drift.

To change the status of a FortiToken between Activated and Locked using the CLI:

config user fortitoken

edit <token_serial_num>
set status lock
next
end

Any user attempting to login using this FortiToken will not be able to authenticate.

FortiProxy 7.0 Administration Guide 400

Fortinet Inc.
User & Authentication

To list the drift on all FortiTokens configured on this FortiProxy unit using the CLI:

# diag fortitoken info

FORTITOKEN DRIFT STATUS
FTK2000BHV1KRZCC 0 token already activated, and seed won't be returned
FTK2001C5YCRRVEE 0 token already activated, and seed won't be returned
FTKMOB4B94972FBA 0 provisioned
FTKMOB4BA4BE9B84 0 new
Total activated token: 0
Total global activated token: 0
Token server status: reachable

This command lists the serial number and drift for each FortiToken configured on this FortiProxy unit. This command is
useful to check if it is necessary to synchronize the FortiProxy unit with any particular FortiTokens.

FortiProxy 7.0 Administration Guide 401

Fortinet Inc.
System

The System menu provides submenus for three areas: system administration, system configuration, and certificates.
System administration covers the following topics:
l Administrators on page 402
l Admin Profiles on page 408
l Firmware on page 411
l Settings on page 412
System configuration covers the following topics:
l HA on page 416
l SNMP on page 419
l Replacement Messages on page 430
l Replacement Message Groups on page 438
l FortiGuard on page 440
l Feature Visibility on page 444
Certificates on page 446 covers generating, editing, deleting, importing, viewing, and downloading certificates.

Administrators

Administrators are configured in System > Administrators. There is already a default administrator account on the unit
named admin that uses the super_admin administrator profile.

Hover over the leftmost edge of the column heading to display the Configure Table icon, which you can use to select the
columns to display or to reset all the columns to their default settings. You can also drag column headings to change
their order.
You need to use the default admin account, an account with the super_admin admin profile, or an administrator with
read-write access control to add new administrator accounts and control their permission levels. If you log in with an
administrator account that does not have the super_admin admin profile, the administrators list shows only the
administrators for the current virtual domain.
The Administrators page lists the default super_admin administrator account, and all administrator accounts that you
have created. The following options are available:

Create New Creates a new administrator account. See Create or edit an administrator on page
403 or Create or edit a REST API administrator on page 406.

FortiProxy 7.0 Administration Guide 402

Fortinet Inc.
 System

Edit Modifies settings within an administrator’s account. When you select Edit, the Edit
Administrator page opens. See Create or edit an administrator on page 403 or
Create or edit a REST API administrator on page 406.

Delete Remove an administrator account.

You cannot delete the original admin account until you create another user with
the super_admin profile, log out of the admin account, and log in with the alternate
user that has the super_admin profile.
To remove multiple administrator accounts, select multiple rows in the list by
holding down the Ctrl or Shift keys and then select Delete.

Name The login name for an administrator account.

Trusted Hosts The IP address and netmask of trusted hosts from which the administrator can log
in.

Profile The admin profile for the administrator.

Type The type of authentication for this administrator, one of the following:
l Local: Authentication of an account with a local password stored on the

FortiProxy unit.
l Remote: Authentication of a specific account on a RADIUS, Lightweight
Directory Access Protocol (LDAP), or Terminal Access Controller Access-
Control System (TACACS+) server.
l Remote+Wildcard: Authentication of any account on an LDAP, RADIUS, or
TACACS+ server.
l PKI: PKI-based certificate authentication of an account.

Two-factor Authentication FortiProxy supports FortiToken and FortiToken Mobile. FortiToken Mobile is a
Fortinet application that enables you to generate One Time Passwords (OTPs) on
a mobile device for FortiProxy two-factor authentication. The user’s mobile device
and the FortiProxy unit must be connected to the Internet to activate FortiToken
mobile. Once activated, users can generate OTPs on their mobile device without
having network access. FortiToken Mobile is available for iOS and Android
devices from their respective Application stores. No cellular network is required
for activation.

Comments A description of the administrator account.

Create or edit an administrator

Select Create New > Administrator to open the New Administrator page. It provides settings for configuring an
administrator account. When you are configuring an administrator account, you can enable authentication for an admin
from an LDAP, RADIUS, or local server.

FortiProxy 7.0 Administration Guide 403

Fortinet Inc.
System

Select an administrator and then click Edit to open the Edit Administrator page.
Configure the following settings in the New Administrator page or Edit Administrator page and then click OK:

User Name Enter the login name for the administrator account.
The name of the administrator should not contain the characters <, >, (, ), #, ", or
'. Using these characters in the administrator account name can result in a cross-
site scripting (XSS) vulnerability.

Type Select the type of administrator account.

l Local User—Select to create a local administrator account.

l Match a user on a remote server group—Select to authenticate the

administrator using a RADIUS, LDAP, or TACACS+ server. Server
authentication for administrators must be configured first.
l Match all users on a remote server group—Select to authenticate all users
using a specific RADIUS, LDAP, or TACACS+ server. Server authentication
for administrators must be configured first.

FortiProxy 7.0 Administration Guide 404

Fortinet Inc.
System

l Use public key infrastructure (PKI) group—Select to enable certificate-based

authentication for the administrator. Only one administrator can be logged in
with PKI authentication enabled.

Password Enter a password for the administrator account. For improved security, the
password should be at least 6 characters long. Select the eye icon to view the
password.
This option is only available if Type is Local User.

Confirm Password Type the password for the administrator account a second time to confirm that
you have typed it correctly. Select the eye icon to view the password.
This option is not available if Type is Use public key infrastructure (PKI) group.

Backup Password Enter a backup password for the administrator account. For improved security,
the password should be at least 6 characters long. Select the eye icon to view the
password.
This option is only available if Type is Match a user on a remote server group or
Match all users in a remote server group.

Comments Optionally, enter comments about the administrator account.

Administrator Profile Select an administrator profile to use for the new administrator.
To create an administrator profile, see Create or edit an administrator profile on
page 409.

Email Address If email is used for two-factor authentication, provide the email address at which
the user will receive token password codes.

Remote User Group Select the administrator user group that includes the remote server/PKI (peer)
users as members of the Remote User Group. The administrator user group
cannot be deleted after the group is selected for authentication.
This option is only available if Type is Match a user on a remote server group or
Match all users in a remote server group.

PKI Group Select to allow all accounts on the RADIUS, LDAP, or TACACS+ server to be
administrators.
This option is only available if Type is Use public key infrastructure (PKI) group.

SMS If SMS is used for two-factor authentication, enable SMS and provide the country
dial code and SMS cell phone number at which the user will receive token
password codes.

Restrict login to trusted hosts Enable to restrict this administrator login to specific trusted hosts and then enter
the IPv4 or IPv6 addresses and netmasks of the trusted hosts. You can specify up
to 10 trusted hosts and 10 IPv6 trusted hosts.

Restrict admin to guest Enable to create a guest management administrator and then select the name of
account provisioning only the guest group.

Regular (password) authentication for administrators

You can use a password stored on the local unit to authenticate an administrator. When you select Local User for Type,
you will see Local as the entry in the Type column when you view the list of administrators.

FortiProxy 7.0 Administration Guide 405

Fortinet Inc.
 System

Using trusted hosts

Setting trusted hosts for all of your administrators increases the security of your network by further restricting
administrative access. In addition to knowing the password, an administrator can connect only through the subnet or
subnets that you specify. You can even restrict an administrator to a single IP address if you define only one trusted host
IP address with a netmask of 255.255.255.255.
When you set trusted hosts for all administrators, the unit does not respond to administrative access attempts from any
other hosts. This provides the highest security. If you leave even one administrator unrestricted, the unit accepts
administrative access attempts on any interface that has administrative access enabled, potentially exposing the unit to
attempts to gain unauthorized access.
The trusted hosts you define apply to the GUI, Ping, SNMP, and the CLI when accessed through Telnet or SSH. CLI
access through the console port is not affected.
The trusted host addresses all default to 0.0.0.0/0.0.0.0. If you set one of the zero addresses to a nonzero address, the
other zero addresses will be ignored. The only way to use a wildcard entry is to leave the trusted hosts at 0.0.0.0/0.0.0.0.
However, this configuration is less secure.

Create or edit a REST API administrator

Select Create New > REST API Admin to open the New REST API Admin page. It provides settings for configuring a
REST API administrator account.

FortiProxy 7.0 Administration Guide 406

Fortinet Inc.
System

Select a REST API administrator and then click Edit to open the Edit REST API Admin page.
Configure the following settings in the New REST API Admin page or Edit REST API Admin page and then click OK:

User Name Enter the login name for the administrator account.
The name of the administrator should not contain the characters <, >, (, ), #, ", or
'. Using these characters in the administrator account name can result in a cross-
site scripting (XSS) vulnerability.

Comments Optionally, enter comments about the administrator account.

Administrator Profile Select an administrator profile to use for the new administrator.
To create an administrator profile, see Create or edit an administrator profile on
page 409.

PKI Group Enable this option for REST API clients and then select which PKI group to
accept.

CORS Allow Origin Enable this option for cross-origin resource sharing (CORS) and then specify the
URL that can access the REST API.

Trusted Hosts Enter the trusted hosts allowed to log in to the REST API.

FortiProxy 7.0 Administration Guide 407

Fortinet Inc.
System

Using trusted hosts

Setting trusted hosts for all of your administrators increases the security of your network by further restricting
administrative access. In addition to knowing the password, an administrator can connect only through the subnet or
subnets that you specify. You can even restrict an administrator to a single IP address if you define only one trusted host
IP address with a netmask of 255.255.255.255.
When you set trusted hosts for all administrators, the unit does not respond to administrative access attempts from any
other hosts. This provides the highest security. If you leave even one administrator unrestricted, the unit accepts
administrative access attempts on any interface that has administrative access enabled, potentially exposing the unit to
attempts to gain unauthorized access.
The trusted hosts you define apply to the GUI, Ping, SNMP, and the CLI when accessed through Telnet or SSH. CLI
access through the console port is not affected.
The trusted host addresses all default to 0.0.0.0/0.0.0.0. If you set one of the zero addresses to a nonzero address, the
other zero addresses will be ignored. The only way to use a wildcard entry is to leave the trusted hosts at 0.0.0.0/0.0.0.0.
However, this configuration is less secure.

Admin Profiles

Each administrator account belongs to an admin profile. The admin profile separates FortiProxy features into access
control categories for which an administrator with read-write access can enable none (deny), read-only, or read-write
access.
Read-only access for a GUI page enables the administrator to view that page. However, the administrator needs write
access to change the settings on the page.
The admin profile has a similar effect on administrator access to CLI commands. You can access get and show
commands with Read Only access, but access to config commands requires Read-Write access.
When an administrator has read-only access to a feature, the administrator can access the GUI page for that feature but
cannot make changes to the configuration. There are no Create or Apply buttons, and lists display only the View icon
instead of icons for Edit, Delete, or other modification commands.
You need to use the admin account or an account with read-write access to create or edit admin profiles.
The Admin Profile page lists all administration profiles that you created as well as the default admin profiles. On this
page, you can edit, delete, or create an admin profile.
To view administrator profiles, go to System > Admin Profiles.

Hover over the leftmost edge of the column heading to display the Configure Table icon, which you can use to select the
columns to display or to reset all the columns to their default settings. You can also drag column headings to change
their order.

FortiProxy 7.0 Administration Guide 408

Fortinet Inc.
 System

The following options are available:

Create New Creates an administrator profile. See Create or edit an administrator profile on
page 409.

Edit Profile Modifies the selected administrator profile. When you click Edit Profile, the Edit
Administrator Profile page opens. See Create or edit an administrator profile on
page 409.
NOTE: You cannot edit the super_admin profile.

Delete Removes the admin profile from the list on the page.
You cannot delete an admin profile that has administrators assigned to it.
To remove multiple admin profiles, select multiple rows in the list by holding down
the Ctrl or Shift keys and then select Delete.

Profile Name The name of the admin profile.

Comments Comments about the admin profile.

Ref. Displays the number of times the object is referenced to other objects.
To view the location of the referenced object, select the number in Ref.; the Object
Usage window opens and displays the various locations of the referenced object.

Create or edit an administrator profile

Select Create New to open the New Administrator Profile page. It provides settings for configuring an administrator
profile.

FortiProxy 7.0 Administration Guide 409

Fortinet Inc.
System

Select an administrator profile and then click Edit Profile to open the Edit Administrator Profile page.
Configure the following settings in the New Administrator Profile page or Edit Administrator Profile page and then click
OK.
NOTE: You cannot edit the super_admin profile.

Name Enter a name for the new administrator profile. After an administrator profile is
created, you cannot change the name.

Comments Optionally, add comments about the administrator profile.

Access Control List of the items that can customize access control settings if configured.

FortiProxy 7.0 Administration Guide 410

Fortinet Inc.
System

None Deny access for the Access Control category.

Read Only Enable read-only access for the Access Control category.

Read-Write Allow read-write access for the Access Control category.

Access Control (categories) Make specific access control selections as required.

l Maintenance

l Administrator Users

l FortiGuard Update

l User & Device

l System Configuration

l Network Configuration

l Log & Report

l Router Configuration

l Firewall Configuration

l VPN Configuration

l Security Profile Configuration

l WAN Opt & Cache

Override Idle Timeout Enable to change how many minutes the FortiProxy unit is idle before the session
closes.

Timeout Select Idle Countdown to specify the number of minutes that the system is idle
before the session closes. Select Never Timeout to prevent the FortiProxy unit
from closing idle sessions.

Idle Enter the number of minutes that the FortiProxy unit is idle before the session
closes. The default is 10 minutes.

Firmware

Go to System > Firmware to check the current firmware version and to upload firmware from your computer or from
FortiGuard.

FortiProxy 7.0 Administration Guide 411

Fortinet Inc.
System

To upload a new firmware image from your computer:

1. Go to System > Firmware and select Browse.

2. Select the file on your PC and select Open.
3. Select Backup Config and Upgrade. Your system will reboot.

Settings

Use the system settings to configure general settings for administration access, password policies, system time settings,
and display settings.
Go to System > Settings to configure system settings.

FortiProxy 7.0 Administration Guide 412

Fortinet Inc.
System

FortiProxy 7.0 Administration Guide 413

Fortinet Inc.
System

Configure the following settings and then select Apply:

System Settings

Host name The host name of the FortiProxy unit. The only administrators that can change a
host name are administrators whose admin profiles permit system configuration
write access. If the FortiProxy unit is part of an HA cluster, you should use a
unique host name to distinguish the FortiProxy unit from others in the cluster.

System Time

Current system time The current time. By default, FortiProxy has the daylight savings time
configuration enabled. The system time must be manually adjusted after daylight
saving time ends.

Time Zone Select the time zone of your FortiProxy unit.

Set Time Select Synchronize with NTP Server or Manual settings.

Select server If you select Synchronize with NTP Server, you can either use the default
FortiGuard server or specify a custom server using the CLI.

Sync interval If you select Synchronize with NTP Server, enter how often the FortiProxy time is
synchronized with the NTP server. The value range is 1-1,440 minutes.

Date If you select Manual settings, enter the date.

Hour If you select Manual settings, enter the hour in 24-hour format.

Minute If you select Manual settings, enter the number of minutes.

Second If you select Manual settings, enter the number of seconds.

Setup device as local NTP Enable to identify a specific interface for this self-originating traffic. After you
server enable this option, select + in the Listen on Interfaces field and select one or more
interfaces.

Administration Settings

HTTP port Enter the TCP port to be used for administrative HTTP access. The default is 80.

Redirect to HTTPS Enable Redirect to HTTPS to force redirection from HTTP to HTTPS.

HTTPS port Enter the TCP port to be used for administrative HTTPS access. The default is
443.

HTTPS server certificate Select Fortinet_Factory or search for a certificate.

SSH port Enter the TCP port to be used for administrative SSH access. The default is 22.

Telnet port Enter the TCP port to be used for administrative Telnet access. The default is 23.

Idle timeout Change the time after which the GUI logs out idle system administration settings,
from 1 to 480 minutes.

Allow concurrent sessions Concurrent administrator sessions occur when multiple people concurrently
access the FortiProxy unit using the same administrator account. This behavior is
allowed by default.

FortiProxy 7.0 Administration Guide 414

Fortinet Inc.
System

Password Policy

Password Scope Select Admin, IPsec, or Both to change the policy for the administrator password.
Select Off to apply no policy for the administrator password

Minimum Length If you select Admin, IPsec, or Both, set the minimum acceptable length for
passwords, from 8 to 128 characters.

Character requirements If you select Admin, IPsec, or Both, select to enable special character types,
upper or lower case letters, or numbers.
Enter information for one or all of the following. Each selected type must occur at
least once in the password.
l Upper case—A, B, C, ... Z

l Lower case—a, b, c, ... z

l Numbers (0-9)—0, 1, 2, ... 9
l Special—@, ?, #, ... %

Allow password reuse If you select Admin, you can select this option to allow passwords to be reused.

Password expiration If you select Admin, IPsec, or Both, you can require administrators to change the
password after a specified number of days. Enter the number of days in the field.
The default is 90 days.

View Settings

Language The language the GUI uses: English, French, Spanish, Portuguese, Japanese,
Traditional Chinese, Simplified Chinese, or Korean.
You should select the language that the operating system of the management
computer uses.

Lines per page Number of lines per page to display in table lists. The range is from 20 to 1000; the
default is 50.

Defining the password policy with a minimum character change

In previous FortiProxy versions, password policies were restricted to only enable or disable a minimum of four new
characters in new password. In FortiProxy 7.0.0, administrators can now set a minimum number of unique characters in
the new password that do not exist in the old password. This setting overrides the password reuse option if both are
enabled.

To configure the password policy in the GUI:

1. Go to System > Settings and navigate to the Password Policy section.

2. For Password scope, select Admin.
3. Enter a value for Minimum number of new characters.

FortiProxy 7.0 Administration Guide 415

Fortinet Inc.
System

4. Click Apply.

To configure the password policy in the CLI:

config system password-policy

set status enable
set min-change-characters <0-128>
end

HA

NOTE: The HA clustering members must be the same hardware model running the same software version. The seat
license does not have to be identical across HA devices but is highly recommended in case of failure.
FortiProxy high availability (HA) provides a system management solution that synchronizes configuration changes
among the clustering members. You can fine-tune the performance of the HA cluster to change how a cluster forms and
shares information among clustering members.
The HA heartbeat keeps cluster units communicating with each other. The heartbeat consists of hello packets that are
sent at regular intervals by the heartbeat interface of all cluster units. These hello packets describe the state of the
cluster unit and are used by other cluster units to keep all the units synchronized.
HA heartbeat packets are non-TCP packets that use Ethertype values 0x8890, 0x8891, and 0x8893. The default time
interval between HA heartbeats is 200 ms.
Your FortiProxy device can be configured as a standalone unit or you can configure two FortiProxy devices in the Active-
Passive mode for failover protection.
NOTE: If you are using vSwitches:
l In Config-Sync mode, you need to select the promiscuous mode and accept MAC address changes on the VLANs
or port groups of the heartbeat vSwitch. For the data interface's vSwitch, you can use the default vSwitch setting.

FortiProxy 7.0 Administration Guide 416

Fortinet Inc.
System

l In Active-Passive mode, you need to select the promiscuous mode and accept MAC address changes on the
VLANs or port groups of the heartbeat vSwitch. For the data interface's vSwitch, the security setting must be the
same as the heartbeat vSwitch.
To configure HA and cluster settings or to view the cluster member list, select System > HA.

Configure the following settings and then click OK:

Mode Enter the mode. Select Standalone, Config-Sync, or Active-Passive from the
drop-down menu. If you select Standalone, no other options are displayed.

Device priority You can set a different device priority for each cluster member to control the order
in which cluster units become the primary unit (HA primary) when the primary unit
fails. The device with the highest device priority becomes the primary unit. The
default value is 128.

Unicast Heartbeat Enable the unicast HA heartbeat in virtual machine (VM) environments that do not
support broadcast communication.

Unicast Heartbeat Peer IP Enter the IP address of the HA heartbeat interface of the other FortiProxy VM in
the HA cluster.

Cluster Settings

Group name Enter a name to identify the cluster.

Password Select Change to enter a password to identify the HA cluster. The maximum
password length is 15 characters. The password must be the same for all cluster
FortiProxy units before the FortiProxy units can form the HA cluster.
When the cluster is operating, you can add a password, if required. Two clusters
on the same network must have different passwords.

Monitor interfaces Select the specific ports to monitor.

If a monitored interface fails or is disconnected from its network, the interface
leaves the cluster and a link failover occurs. The link failover causes the cluster to
reroute the traffic being processed by that interface to the same interface of
another cluster that still has a connection to the network. This other cluster
becomes the new primary unit.

Heartbeat Interfaces Select to enable or disable the HA heartbeat communication for each interface in
the cluster and then set the heartbeat interface priority.

FortiProxy 7.0 Administration Guide 417

Fortinet Inc.
 System

The heartbeat interface with the highest priority processes all heartbeat traffic.
You must select at least one heartbeat interface. If the interface functioning as the
heartbeat fails, the heartbeat is transferred to another interface configured as a
heartbeat interface. If heartbeat communication is interrupted, the cluster stops
processing traffic. Priority ranges from 0 to 512.

Management Interface Enable or disable the management interface reservation.

Reservation You can provide direct management access to individual cluster units by
reserving a management interface as part of the HA configuration. After this
management interface is reserved, you can configure a different IP address,
administrative access, and other interface settings for this interface for each
cluster unit. You can also specify static routing settings for this interface. Then by
connecting this interface of each cluster unit to your network, you can manage
each cluster unit separately from a different IP address.

Interface Select the management interface.

Gateway Enter the IPv4 address for the remote gateway.

IPv6 gateway Enter the IPv6 address for the remote gateway.

Destination subnet Enter the destination subnet.

+ Select + enter another management interface.

HA multiple unicast peers

Starting in FortiProxy 7.0.1, you can configure up to eight unicast Config-Sync HA clusters. Unicast configuration
synchronization is supported on layer 3, allowing peers to be synchronized in cloud environments that do not support
layer-2 networking. Configuring a unicast gateway allows peers to be in different subnets.
For example:
config system ha
set mode config-sync-only
set hbdev "port1" 50
set override enable
set unicast-status enable
set unicast-gateway 10.0.0.1
config unicast-peers
edit 1
set peer-ip 192.168.76.13
next
.........
end
end

Note:
l Use the set unicast-hb enable command for a one-to-one unicast Active-Passive HA cluster or Config-Sync
HA cluster.
l Use the set unicast-status, set unicast-gateway, and config unicast-peers commands for multiple
peers in a Config-Sync HA cluster.

FortiProxy 7.0 Administration Guide 418

Fortinet Inc.
 System

Cache Collaboration

When deployed in a cluster, depending on the deployed architecture, requests for the same URL might have hit each
cache device and been cached separately on each. Methods are available to mitigate this through load balancing with
FortiADC or WCCP.
FortiProxy has the Cache Collaboration feature, where the storage of all devices within the FortiProxy HA Cluster is
accessible as a shared entity. This feature allows content cached by one device to be shared by other FortiProxy devices
within the cluster, significantly increasing the cache rate.

CLI syntax

config wanopt cache-service

set prefer-senario {balance | prefer-speed | prefer-cache} // Default is balance.
set collaboration {enable | disable} // Default is disable.
set device-id <name>
set acceptable-connections {any | peers} // Default is any.
end

SNMP

The Simple Network Management Protocol (SNMP) allows you to monitor hardware on your network. You can configure
the hardware, such as the FortiProxy SNMP agent, to report system information and traps.
SNMP traps alert you to events that happen, such as a log disk becoming full, or a virus being detected. These traps are
sent to the SNMP managers. An SNMP manager (or host) is typically a computer running an application that can read
the incoming traps and event messages from the agent and can send out SNMP queries to the SNMP agents. A
FortiManager unit can act as an SNMP manager to one or more FortiProxy units.
By using an SNMP manager, you can access SNMP traps and data from any FortiProxy interface configured for SNMP
management access. Part of configuring an SNMP manager is to list it as a host in a community on the FortiProxy unit it
will be monitoring. Otherwise, the SNMP monitor will not receive any traps from, and be unable to query, that FortiProxy
unit.
When using SNMP, you must also ensure you have added the correct Management Information Base (MIB) files to the
unit, regardless of whether or not your SNMP manager already includes standard and private MIBs in a ready-to-use,
compiled database. A MIB is a text file that describes a list of SNMP data objects used by the SNMP manager. See
Fortinet MIBs on page 423 for more information.
The FortiProxy SNMP implementation is read-only. SNMP v1, v2c, and v3 compliant SNMP managers have read-only
access to FortiProxy system information through queries and can receive trap messages from the unit.
The FortiProxy SNMP v3 implementation includes support for queries, traps, authentication, and privacy. Authentication
and encryption are configured in the CLI.

FortiProxy supports Low crypto (LENC) mode for LENC models.

FortiProxy 7.0 Administration Guide 419

Fortinet Inc.
System

Before a remote SNMP manager can connect to the FortiProxy agent, you must configure one or more FortiProxy
interfaces to accept SNMP connections. Interfaces are configured in Network > Interfaces. See Interfaces on page 83.

For security reasons, Fortinet recommends that neither “public” nor “private” be used for
SNMP community names.

When the unit is in virtual domain mode, SNMP traps can only be sent on interfaces in the
management virtual domain.

If you want to allow SNMP access on an interface, you must go to Network > Interfaces and
select SNMP in the Access field in the settings for the interface that you want the SNMP
manager to connect to.

For SNMP configuration, go to System > SNMP.

FortiProxy 7.0 Administration Guide 420

Fortinet Inc.
System

Hover over the leftmost edge of the column heading to display the Configure Table icon, which you can use to select the
columns to display or to reset all the columns to their default settings. You can also drag column headings to change
their order.
Configure the following settings and select Apply:

Download FortiProxy MIB File Download the FortiProxy MIB file. See Fortinet MIBs on page 423.

Download Fortinet Core MIB Download the Fortinet MIB file. See Fortinet MIBs on page 423.
File

SNMP Agent Enable the FortiProxy SNMP agent. See SNMP agent on page 424.

SNMP v1/v2c Lists the communities for SNMP v1/v2c. From within this section, you can create,
edit or remove SNMP communities.

Create New Creates a new SNMP community. When you select Create New, the New SNMP
Community page opens. See Create or edit an SNMP community on page 424.

FortiProxy 7.0 Administration Guide 421

Fortinet Inc.
System

Edit Modifies settings within an SNMP community. When you click Edit, the Edit
SNMP Community page opens.

Delete Removes an SNMP community from the list.

To remove multiple SNMP communities, select multiple rows in the list by holding
down the Ctrl or Shift keys and then select Delete.

Status Enable or disable the SNMP community.

Community Name The name of the community.

Queries Indicates whether queries protocols (v1 and v2c) are enabled or disabled. A
check mark indicates that queries are enabled; a gray x indicates that queries are
disabled. If one query is disabled and another one enabled, there will still be a
check mark.

Traps Indicates whether trap protocols (v1 and v2c) are enabled or disabled. A check
mark indicates that traps are enabled; a gray x indicates that traps are disabled. If
one query is disabled and another one enabled, there will still be a check mark.

Hosts Number of hosts that are part of the SNMP community.

Events Number of events that have occurred.

Status Indicates whether the SNMP community is enabled or disabled.

SNMP v3 Lists the SNMP v3 users. From within this section, you can edit, create or remove
an SNMP v3 user.

Create New Creates a new SNMP v3 user. When you select Create New, the Create New
SNMP User page opens. See Create or edit an SNMP user on page 428.

Edit Modifies settings within the SNMP v3 user. When you click Edit, the Edit SNMP
User page opens.

Delete Removes an SNMP v3 user from the page.

To remove multiple SNMP v3 users, select multiple rows in the list by holding
down the Ctrl or Shift keys and then select Delete.

Status Enable or disable the SNMP v3 user.

User Name The name of the SNMP v3 user.

Security Level The security level of the user.

Queries Indicates whether queries are enabled or disabled. A green check mark indicates
that queries are enabled; a gray x indicates that queries are disabled.

Hosts Number of hosts.

Events Number of SNMP events associated with the SNMPv3 user.

Status Indicates whether the SNMPv3 user is enabled or disabled.

FortiProxy 7.0 Administration Guide 422

Fortinet Inc.
 System

Fortinet MIBs

The FortiProxy SNMP agent supports Fortinet proprietary MIBs, as well as standard RFC 1213 and RFC 2665 MIBs.
RFC support includes support for the parts of RFC 2665 (Ethernet-like MIB) and the parts of RFC 1213 (MIB II) that
apply to FortiProxy unit configuration.
There are two MIB files for FortiProxy units; both files are required for proper SNMP data collection:
l The Fortinet MIB: contains traps, fields, and information that is common to all Fortinet products.
l The FortiProxy MIB: contains traps, fields, and information that is specific to FortiProxy units.
The Fortinet and FortiProxy MIB files are available for download on the Fortinet Customer Support site. Each Fortinet
product has its own MIB—if you use other Fortinet products, you need to download their MIB files as well.
The Fortinet MIB and FortiProxy MIB, along with the two RFC MIBs, are listed in the table in this section.
To download the MIB files, go to System > SNMP and select a MIB link in the SNMP section. See SNMP on page 419.
Your SNMP manager may already include standard and private MIBs in a compiled database that is ready to use. You
must add the Fortinet proprietary MIB to this database to have access to the Fortinet-specific information.

MIB files are updated for each version of FortiProxy. When upgrading the firmware, ensure
that you update the Fortinet FortiProxy MIB file compiled in your SNMP manager as well.

MIB file name Description

FORTINET-CORE-MIB.mib The Fortinet MIB includes all system configuration information and trap
information that is common to all Fortinet products. Your SNMP manager requires
this information to monitor FortiProxy unit configuration settings and receive traps
from the FortiProxy SNMP agent.

FORTINET-FORTIPROXY- The FortiProxy MIB includes all system configuration information and trap
MIB.mib information that is specific to FortiProxy units. Your SNMP manager requires this
information to monitor FortiProxy configuration settings and receive traps from the
FortiProxy SNMP agent. FortiManager systems require this MIB to monitor
FortiProxy units.

SNMP get command syntax

Normally, to get configuration and status information for a FortiProxy unit, an SNMP manager would use an SNMP get
command to get the information in a MIB field. The SNMP get command syntax would be similar to:
snmpget -v2c -c <community_name> <address_ipv4> {<OID> | <MIB_field>}
where:
l <community_name> refers to the SNMP community name added to the FortiProxy configuration. You can add
more than one community name to a FortiProxy SNMP configuration. The most commonly used community name is
public. For security reasons, Fortinet recommends that neither public nor private be used for SNMP
community names.
l <address_ipv4> is the IP address of the FortiProxy interface that the SNMP manager connects to
l {<OID> | <MIB_field>} is the object identifier for the MIB field or the MIB field name itself.

FortiProxy 7.0 Administration Guide 423

Fortinet Inc.
 System

For example, to query the firmware version running on the FortiProxy unit, the following command could be issued:
snmpget -v2c -c public 10.10.10.1 1.3.6.1.4.1.12356.109.4.1.1.0

In this example, the community name is public, the IP address of the interface configured for SNMP management
access is 10.10.10.1. The firmware version is queried using the MIB field fchSysVersion, the OID for which is
1.3.6.1.4.1.12356.109.4.1.1.0.
The value returned is a string with a value of v2.0,build0225,130213.

SNMP agent

The FortiProxy SNMP agent must be enabled before configuring other SNMP options. Enter information about the
FortiProxy unit to identify it so that when your SNMP manager receives traps from the FortiProxy unit, you will know
which unit sent the information.

To configure the SNMP agent in the GUI:

1. Go to System > SNMP.

2. Enable the SNMP agent by moving the slider in the SNMP Agent field.
3. Enter a descriptive name for the agent. The description can be up to 35 characters long.
4. Enter the physical location of the unit. The system location description can be up to 35 characters long.
5. Enter the contact information for the person responsible for this FortiProxy unit. The contact information can be up
to 35 characters.
6. Click Apply to save your changes.

To configure the SNMP agent with the CLI:

Enter the following CLI commands:

config system snmp sysinfo
set status enable
set contact-info <contact_information>
set description <description_of_FortiProxy>
set location <FortiProxy_location>
end

Create or edit an SNMP community

An SNMP community is a grouping of devices for network administration purposes. Within that SNMP community,
devices can communicate by sending and receiving traps and other information. One device can belong to multiple
communities, such as one administrator terminal monitoring both a firewall SNMP and a printer SNMP community.
Add SNMP communities to your FortiProxy unit so that SNMP managers can view system information and receive
SNMP traps. You can add up to three SNMP communities. Each community can have a different configuration for SNMP
queries and traps and can be configured to monitor the FortiProxy unit for a different set of events. You can also add the
IP addresses of up to eight SNMP managers to each community.

FortiProxy 7.0 Administration Guide 424

Fortinet Inc.
System

Selecting Create New on the SNMP v1/v2c table opens the New SNMP Community page, which provides settings for
configuring a new SNMP community. Selecting a community from the list and selecting Edit opens the Edit SNMP
Community page.

FortiProxy 7.0 Administration Guide 425

Fortinet Inc.
System

FortiProxy 7.0 Administration Guide 426

Fortinet Inc.
System

Configure the following settings in the New SNMP Community page or Edit SNMP Community page and click OK:

Community Name Enter a name to identify the SNMP community. After you create the SNMP
community, you cannot edit the name.

Enabled Enable or disable the SNMP community.

Hosts Settings for configuring the hosts of an SNMP community.

IP Address Enter the IP address/netmask of the SNMP managers that can use the settings in
this SNMP community to monitor the unit.
You can also set the IP address to 0.0.0.0 to so that any SNMP manager can use
this SNMP community.

Host Type Select one of the following: Accept queries and send traps, Accept queries only,
or Send traps only

X Removes an SNMP manager from the list within the Hosts section.

+ Select to add a blank line to the Hosts list. You can add up to 16 SNMP managers
to a single community.

Queries Settings for configuring queries for both SNMP v1 and v2c.

v1 Enabled Enable or disable SNMP v1 queries.

Port Enter the port number (161 by default) that the SNMP managers in this
community use for SNMP v1 and SNMP v2c queries to receive configuration
information from the unit.
The SNMP client software and the unit must use the same port for queries.

v2c Enabled Enable or disable SNMP v2c queries.

Traps Settings for configuring local and remote ports for both v1 and v2c.

v1 Enabled Enable or disable SNMP v1 traps.

Local Port Enter the remote port numbers (162 by default) that the unit uses to send SNMP
v1 or SNMP v2c traps to the SNMP managers in this community.
The SNMP client software and the unit must use the same port for traps.

Remote Port Enter the remote port number (162 by default) that the unit uses to send SNMP
traps to the SNMP managers in this community.
The SNMP client software and the unit must use the same port for traps.

v2c Enabled Enable or disable SNMP v2c traps.

SNMP Events Enable each SNMP event for which the unit should send traps to the SNMP
managers in this community.
Note: The CPU usage too high trapʼs sensitivity is slightly reduced by spreading
values out over 8 polling cycles. This reduction prevents sharp spikes due to CPU
intensive short-term events such as changing a policy.

FortiProxy 7.0 Administration Guide 427

Fortinet Inc.
 System

Create or edit an SNMP user

Selecting Create New on the SNMP v3 table opens the New SNMP User page, which provides settings for configuring a
new SNMP v3 user. Selecting a user name from the route list and selecting Edit opens the Edit SNMP User page.

FortiProxy 7.0 Administration Guide 428

Fortinet Inc.
System

FortiProxy 7.0 Administration Guide 429

Fortinet Inc.
System

Configure the following settings in the New SNMP User page or Edit SNMP User page and click OK:

User Name Enter the name of the user. After you create an SNMP user, you cannot change
the user name.

Enabled Toggle the slider to enable or disable this SNMP user.

Security Level Select the type of security level the user will have:
l No Authentication

l Authentication and No Private—Enter the authentication algorithm and

password to use.
l Authentication and Private—Enter the authentication algorithm and
password to use.

Authentication Algorithm If the security level is set to Authentication and No Private, you can select MD5 or
SHA1 for the authentication algorithm.
If the security level is set to Authentication and Private, you can select AES, DES,
AES256, or AES256 Cisco for the authentication algorithm.

Password If the security level is set to Authentication, select Change and enter a password
in the Password field.

Hosts Settings for configuring the hosts of an SNMP community.

IP Address Enter the IP address of the notification host. If you want to add more than one
host, select + to add another host. Up to 16 hosts can be added. Select X to delete
any hosts.

Queries Settings for configuring queries for both SNMP v1 and v2c.

Enabled Enable or disable the query. By default, the query is enabled.

Port Enter the port number in the Port field (161 by default).

SNMP Events Select the SNMP events that will be associated with the user.

Replacement Messages

Go to System > Replacement Messages to customize replacement pages as needed.

FortiProxy 7.0 Administration Guide 430

Fortinet Inc.
System

Hover over the leftmost edge of the column heading to display the Configure Table icon, which you can use to select the
columns to display or to reset all the columns to their default settings. You can also drag column headings to change
their order.
The following options are available:

Manage Images Select to view the available images and their respective tags and add new
images. By default, images are embedded in replacement messages instead of
using a URL.
To use a URL:
config webfilter fortiguard
set embed-image disable
end

Search Enter a search term to search the replacement message list.

Simple View or Extended View Select the view:

l Simple View displays a selection of Security and Authentication messages.

l Extended View displays all messages.

See the table at the end of this section for a list of all the messages.

FortiProxy 7.0 Administration Guide 431

Fortinet Inc.
System

Name The message name.

Description The message description.

Modified A check mark is shown when the message has been modified.

Save Save any customizations that you made to the message.

Restore Default Restore the message back to its default state.

Preview A preview of how the message looks.

Message HTML The HTML code for the message that you can edit.

The following table outlines all of the messages that can be customized, as shown in Extended View:

Category Messages Description

Post-login Disclaimer Message Replacement message for post-login disclaimer.

Administrator
Pre-login Disclaimer Message Replacement message for pre-login disclaimer.

alertmail-block Alert email text for block incidents.

alertmail-crit-event Alert email text for critical event notification.

Alert Email alertmail-disk-full Alert email text for disk-full events.

alertmail-nids-event Alert email text for IPS events.

alertmail-virus Alert email text for virus incidents.

FortiProxy 7.0 Administration Guide 432

Fortinet Inc.
System

Category Messages Description

Authentication Rejection Page Replacement HTML for authentication rejection page.

Authentication Success Page Replacement HTML for authentication success page.

Block Notification Page Replacement HTML for block notification page.

Certificate Password Page Replacement HTML for certificate password page.

Declined Disclaimer Page Replacement HTML for user declined disclaimer page.

Declined Quarantine Page Replacement HTML for user declined quarantine page.

Disclaimer Page Replacement HTML for authentication disclaimer page.

Email Collection Replacement HTML for email collection page.

Replacement HTML for email collection page after user enters

Email Collection Invalid Email
invalid email.

Email Token Page Replacement HTML for email-token authentication page.

FortiToken Page Replacement HTML for FortiToken authentication page.

Guest User Email Template Replacement text for guest-user credentials email message.

Authentication Guest User Print Template Replacement HTML for guest-user credentials print out.

Keepalive Page Replacement HTML for authentication keep-alive page.

Login Challenge Page Replacement HTML for authentication login-challenge page.

Login Failed Page Replacement HTML for authentication failed page.

Login Page Replacement HTML for authentication login page.

Next FortiToken Page Replacement HTML for next FortiToken authentication page.

Password Expiration Page Replacement HTML for password expiration page.

Portal Page Replacement HTML for post-authentication portal page.

Quarantine Notification Page Replacement HTML for quarantine notification page.

SAML Login Page Replacement HTML for SAML authentication login page.

SMS Token Page Replacement HTML for SMS-token authentication page.

Success Message Replacement text for authentication success message.

Two-Factor Login Failed Replacement HTML for two-factor authentication failed page.

Two-Factor Login Page Replacement HTML for two-factor authentication login page.

Automation Automation Alert Email Replacement HTML for automation alert email.

Device Detection Device Detection Portal Failure

Replacement HTML for device detection portal failure page.
Portal Page

FortiProxy 7.0 Administration Guide 433

Fortinet Inc.
System

Category Messages Description

AV Engine Load Error Email Replacement text for email blocked because the antivirus
Block Message engine failed. to load.

Email Decompressed
Replacement text indicating the removal of an oversized
Attachment Oversize Block
decompressed attachment from email.
Message

Replacement text for emails blocked due to data leak

Email DLP Ban
detection.

Replacement text for subject of emails blocked due to data

Email DLP Subject
leak detection.

Replacement text for message indicating removal of blocked

Email File Block Message
Email attachment from email.

Replacement text for message indicating removal of

Email File Size Block Message
oversized attachment from email.

Replacement text for emails rejected because they are

Partial Email Block Message
fragmented.

SMTP Decompressed
SMTP rejection text indicating rejection due to an oversized
Attachment Oversize Block
decompressed attachment.
Message

Replacement text for emails rejected due to blocked

SMTP File Block Message
attachments.

SMTP File Size Message Replacement text for emails rejected due to file size limit.

FortiGuard Block Page Replacement HTML for FortiGuard web filter block page.

Replacement HTML for FortiGuard web filter HTTP error

FortiGuard HTTP Error Page
page.
FortiGuard Web
FortiGuard Override Page Replacement HTML for FortiGuard web filter override page.
Filtering
Replacement HTML for FortiGuard web filter quota exceeded
FortiGuard Quota Page
block page.

FortiGuard Warning Page Replacement HTML for FortiGuard web filter warning page.

FortiProxy 7.0 Administration Guide 434

Fortinet Inc.
System

Category Messages Description

Archive Block Message Replacement text for FTP archive file block message.

AV Engine Load Error Block Replacement text for FTP blocked because the antivirus
Message engine failed to load.

FTP Block Message Replacement text for FTP permission-denied block message.

DLP Ban Message Replacement text for FTP data-leak detected ban message.

Explicit Banner Message Replacement text for explicit FTP proxy banner message.

File Size Block Message Replacement text for FTP oversized file block message.

AntiPhish Block Message Replacement HTML for AntiPhish credential block message.

Archive Block Message Replacement HTML for HTTP archive block message.

Block Message Replacement HTML for HTTP file block message.

Blocked Certificate Message Replacement HTML for blocked certificate message.

Content Block Message Replacement HTML for HTTP content-type block message.

Content Block Page Replacement HTML for HTTP file content block page.

Content Upload Block Page Replacement HTML for HTTP file upload content block page.

Replacement HTML for HTTP data-leak detected ban

DLP Ban Message
message.

Invalid Certificate Message Replacement HTML for HTTP invalid certificate message.

Oversized File Message Replacement HTML for HTTP oversized file block message.

Replacement HTML for HTTP oversized file upload block

HTTP Oversized Upload Message
message.

POST Block Message Replacement HTML for HTTP POST block message.

Replacement HTML for HTTP URL previously infected block

Previously Infected Block Page
page.

Replacement HTML for HTTP Switching Protocols Blocked

Switching Protocols Blocked
page.

Untrusted Certificate Message Replacement HTML for untrusted certificate message.

Upload Archive Block

Replacement HTML for HTTP archive upload block message.
Message

Upload Block Message Replacement HTML for HTTP file upload block message.

URL Block Page Replacement HTML for HTTP URL blocked page.

Replacement HTML for HTTP web filter service error

URL Filter Error Message
message.

FortiProxy 7.0 Administration Guide 435

Fortinet Inc.
System

Category Messages Description

icap-req-resp Replacement HTML for HTTP POST action block message.

ICAP ICAP REQMOD Response Replacement message for ICAP REQMOD Response.

icap-server-service Replacement HTML for HTTP service action block message.

Network Quarantine Replacement HTML for network quarantine administrative

Administrative Block Page block page.

Network Quarantine Replacement HTML for network quarantine application block

Application Block Page page.

Network Quarantine AV Block Replacement HTML for network quarantine antivirus block
Network Page page.
Quarantine Network Quarantine DLP
Replacement HTML for network quarantine DLP block page.
Block Page

Network Quarantine DOS

Replacement HTML for network quarantine DOS block page.
Block Page

Network Quarantine IPS Block

Replacement HTML for network quarantine IPS block page.
Page

NNTP AV Engine Load Error Replacement text for NNTP article blocked because the
Block Message antivirus engine failed to load.

NNTP Decompressed File Replacement text indicating the removal of an oversized

Oversize Block Message decompressed file.

Replacement text for NNTP user banned by data leak

NNTP DLP Ban Message
prevention.
NNTP
Replacement text for body of NNTP message blocked by data
NNTP DLP Block Message
leak prevention.

Replacement text for subject of NNTP message blocked by

NNTP DLP Block Subject
data leak prevention.

NNTP File Size Block

Replacement text for NNTP article too large block message.
Message

FortiProxy 7.0 Administration Guide 436

Fortinet Inc.
System

Category Messages Description

Application Control Block Page Replacement HTML for Application Control block page.

DLP Block Message Replacement text for DLP block message.

DLP Block Page Replacement HTML for DLP block page.

IPS Scan Failure Block Page Replacement HTML for IPS scan failure block page.

IPS Sensor Block Page Replacement HTML for IPS sensor block page.

Security Virus Block Message Replacement text for antivirus block message.

Virus Block Page Replacement HTML for antivirus block page.

Virus Upload Block Page Replacement HTML for virus infected file upload block page.

Web Application Firewall Block

Replacement HTML for web application firewall block page.
Page

Windows Executable Block

Replacement text for blocked Windows executables.
Page

Replacement text for emails blocked due to detection by

ASE Block Message
Advanced Antispam Engine (ASE).

Replacement text for emails blocked due to prohibited content

Banned Word Block Message
(banned words) in message.

Replacement text for emails blocked due to detection by

DNSBL Block Message
antispam DNSBL.

False-Positive Submit Replacement text for email submit message as false-positive

Message message.

Replacement text for emails blocked due to IP blacklist by

FortiGuard Block Message
Spam FortiGuard.

HELO Block Message Replacement text for emails blocked due to HELO check.

Replacement text for emails blocked due to blacklisted

IP Blacklist Message
sending IP addresses.

Replacement text for emails blocked due to invalid MIME

MIME Header Block Message
header.

Replacement text for emails blocked due to invalid return

Reverse DNS Block Message
domain.

Sender Address Block Replacement text for emails blocked due to blacklisted sender
Message address.

FortiProxy 7.0 Administration Guide 437

Fortinet Inc.
System

Category Messages Description

Hostcheck Error Message Replacement text for host-checking error message.

Replacement HTML for SSL-VPN connection limit exceeded

SSL-VPN Limit Page
page.

SSL-VPN Login Page Replacement HTML for SSL-VPN login page.

SSL-VPN
SSL-VPN Portal Header Replacement HTML for SSL-VPN portal page header.

SSL-VPN Provision User Replacement HTML for SSL-VPN provision user email
Email template

SSL-VPN Provision User SMS Replacement text for SSL-VPN provision user SMS template

Traffic Quota Limit Exceeded Replacement HTML for traffic quota limit exceeded block
Traffic Quota
Page page.

Web-proxy Authentication
Replacement HTML for web-proxy authentication failed page.
Failed Page

Web-proxy Authorization
Replacement HTML for web-proxy authorization failed page.
Failed Page

Web-proxy Block Page Replacement HTML for web-proxy block page.

Web-proxy Replacement HTML for web-proxy authentication required

Web-proxy Challenge Page
block page.

Web-proxy HTTP Error Page Replacement HTML for web-proxy HTTP error page.

Web-proxy IP Blackout Page Replacement HTML for web-proxy IP Blackout page.

Web-proxy User Limit Page Replacement HTML for web-proxy user limit block page.

Web-proxy ZTNA block page Replacement HTML for web-proxy ZTNA block page.

Replacement Message Groups

Go to System > Replacement Message Groups to configure custom replacement message groups.

To create a custom replacement message group in the GUI:

1. Click Create New.

2. In the Name field, enter a name for the custom replacement message group.

FortiProxy 7.0 Administration Guide 438

Fortinet Inc.
 System

3. In the Comments field, enter an optional description of the custom replacement message group.
4. Select Security or Authentication.
5. Click OK.

To create a custom replacement message group in the CLI:

config system replacemsg-group

edit <name>
set comment <string>
set group-type {utm | auth}
config {webproxy | auth}
edit <msg-type>
set buffer <string>
set header {none | http | 8bit}
set format {none | text | html}
next
end
next
end

Custom ZTNA virtual host replacement message

Custom messages can be configured for each ZTNA virtual host, to be shown when verification fails. The ZTNA detail
tag (%%ZTNA_DETAIL_TAG%%) can be included to show the reason for the verification failure.

To use a custom replacement message:

1. Configure a replacement message group that includes the ZTNA detail tag in the message:
config system replacemsg-group
edit "test-vhost"
set comment ''
set group-type utm
config webproxy
edit "ztna-block"
set buffer "This is a test message: %%ZTNA_DETAIL_TAG%%"
set header http
set format html
next
end
next
end

2. Apply the replacement message group to a virtual host:

config firewall access-proxy-virtual-host
edit "test"
set host "10.1.200.102"
set replacemsg-group "test-vhost"
next
end

FortiProxy 7.0 Administration Guide 439

Fortinet Inc.
System

FortiGuard

The FortiGuard Distribution Network page provides information and configuration settings for FortiGuard subscription
services. For more information about FortiGuard services, see FortiGuard Labs.
To view and configure FortiGuard connections, go to System > FortiGuard.

Configure the following settings and select Apply:

FortiCare Support The availability or status of your unit’s support contract. The status can be
Unreachable, Not Registered, or Valid Contract. Select Launch Portal to log in to
FortiCloud.

FortiProxy 7.0 Administration Guide 440

Fortinet Inc.
System

You can update your registration status by selecting Register and loading the
license file from a location on your management computer.

Application Control Application Control is a free FortiGuard service. Application Control allows you to
Signatures identify and control applications on networks and endpoints regardless of port,
protocol, and IP address used. It gives you unmatched visibility and control over
application traffic, even traffic from unknown applications and sources. Although
the Application Control profile can be used for free, signature database updates
require a valid FortiGuard subscription. To update the database of Application
Control signatures, select Upgrade Database.

IPS The FortiGuard Intrusion Prevention System (IPS) uses a customizable database
of more than 4000 known threats to stop attacks that evade conventional firewall
defenses. It also provides behavior-based heuristics, enabling the system to
recognize threats when no signature has yet been developed. It also provides
more than 1000 application identity signatures for complete Application Control.
To update the IPS database, select Upgrade Database.

AntiVirus The FortiGuard AntiVirus Service provides fully automated updates to ensure
protection against the latest content level threats. It employs advanced virus,
spyware, and heuristic detection engines to prevent both new and evolving
threats from gaining access to your network and protects against vulnerabilities.
To update the antivirus database, select Upgrade Database.

Industrial DB The FortiGuard Industrial Security Service provides in-line protection and
proactive filtering of malicious and unauthorized network traffic; it enforces
security policies tailored to industrial environments, protocols, and equipment. To
update the industrial database, select Upgrade Database.

Web Filtering Web Filtering provides Web URL filtering to block access to harmful,
inappropriate, and dangerous web sites that may contain phishing/pharming
attacks, malware such as spyware, or objectionable content that can expose your
organization to legal liability. Based on automatic research tools and targeted
research analysis, real-time updates enable you to apply highly-granular policies
that filter web access based on 78 web content categories, over 45 million rated
web sites, and more than two billion web pages—all continuously updated.

Virtual Machine To upload or check your virtual machine license, select FortiProxy VM License.

Content Analysis FortiGuard Content Analysis Service is a licensed feature for the real-time
analysis of images to detect adult content. Detection of adult content in images
uses various patented techniques (not just color-based), including limb and body
part detection, body position, and so on. When adult content is detected, such
content can be optionally blocked or reported.

Antivirus & IPS Updates

Accept push updates Enable to allow updates sent automatically to your FortiProxy. New definitions are
added as soon as they are released by FortiGuard. If a specific override push IP
address is required, select Use override push IP and enter an IP address and port
number in the required fields.

Use override push This option is available only when Accept push updates is enabled.

FortiProxy 7.0 Administration Guide 441

Fortinet Inc.
System

Enable to configure an override server if you cannot connect to the FDN or if your
organization provides updates using their own FortiGuard server.
Enter the IP address and port of the NAT device in front of your FortiProxy. FDN
connects to this device when attempting to reach the FortiProxy. The NAT device
must be configured to forward the FDN traffic to the FortiProxy unit on UDP port
9443.

Scheduled Updates Enable to receive scheduled updates and then select when the updates occur:
Every 1-23 hours, Daily at a specific hour, or Weekly on a specific day at a specific
hour.

Improve IPS quality Enable to help Fortinet maintain and improve IPS signatures. The information
sent to the FortiGuard servers when an attack occurs and can be used to keep the
database current as variants of attacks evolve.

Use extended IPS signature Some models have access to an extended IPS database.
package

Update AV & IPS Definitions Select to manually initiate an FDN update.

Update Server Location

US only/Lowest latency Select whether to access FortiGuard servers within the United States or the
locations quickest FortiGuard servers.

Filtering

Web Filter Cache Enable the web filter cache.

Enter the number of minutes the FortiProxy unit stores blocked IP addresses or
URLs locally, saving time and network access traffic by not checking the
FortiGuard server. After the specified time, the FortiProxy unit contacts the FDN
server to verify a web address.

Clear Web Filter Cache Select to manually delete the contents of the web filter cache.

FortiGuard Filtering Protocol Select the protocol to use to contact the FortiGuard servers, either HTTPS or
UDP.

FortiGuard Filtering Port Select the port assignments for contacting the FortiGuard servers, either the
default port (53) or the alternate port (8888).

Filtering Services Availability Indicates the status of filtering service. Select Check Again if the filtering service is
not available and then click OK in the confirmation dialog box. A warning is
displayed if the FortiProxy unit does not have a valid license.

Request re-evaluation of a Select to re-evaluate a URL’s category rating using the Fortinet Live URL Rating
URL's category Support (opens in a new browser window).

Override FortiGuard Servers By default, the FortiProxy unit updates signature packages and queries rating
servers using public FortiGuard servers. You can override this list of servers. You
can also disable communication with public FortiGuard servers.

Create New Select to display the Create New Override FortiGuard Server page.

FortiProxy 7.0 Administration Guide 442

Fortinet Inc.
 System

Edit Select a server in the list and click Edit to display the Edit Override FortiGuard
Server page.

Delete Select a server in the list and select Delete to remove one of the servers in the list.
To remove multiple servers, select multiple rows in the list by holding down the
Ctrl or Shift keys and then select Delete.

Setting automatic updates for FortiGuard packages

The default auto-update schedule for FortiGuard packages has been updated. Previously, the frequency was a
reoccurring random interval within two hours. Starting in FortiProxy 7.0.0, you can select an update frequency of
automatic, and the update interval is calculated based on the model and percentage of valid subscriptions. The update
interval is within one hour.
config system autoupdate schedule
set frequency {every | daily | weekly | automatic}
end

FortiGuard Outbreak Prevention

Starting in FortiProxy 7.0.0, FortiGuard Virus Outbreak Protection Service (VOS) allows the FortiProxy antivirus
database to be subsidized with third-party malware hash signatures curated by FortiGuard. The hash signatures are
obtained from FortiGuardʼs Global Threat Intelligence database. The antivirus database queries FortiGuard with the
hash of a scanned file. If FortiGuard returns a match, the scanned file is deemed to be malicious. Enabling the AV engine
scan is not required to use this feature.
NOTE: The FortiProxy unit must be registered with a valid FortiGuard outbreak prevention license.

To verify FortiGuard antivirus license information:

Go to System > FortiGuard and locate the Outbreak Prevention section in the License Information table.

To enable FortiGuard outbreak prevention:

1. Go to Security Profiles > AntiVirus.

2. Edit an antivirus profile or create a new one.
3. Under Outbreak Protection, enable Block or Monitor for each protocol.
4. Click OK.

Antiphish pattern database

To update the antiphish pattern database:

1. Go to System > FortiGuard and in the right-side pane, click Update Licenses & Definitions Now.
2. Enter the following in the CLI:
# diagnose autoupdate versions
...

FortiProxy 7.0 Administration Guide 443

Fortinet Inc.
 System

AntiPhish Pattern DB
---------
Version: 0.00000
Contract Expiry Date: n/a
Last Updated using manual update on Tue Nov 30 00:00:00 1999
Last Update Attempt: Wed Sep 29 14:00:11 2021
Result: No Updates

Feature Visibility

Various FortiProxy features can be enabled or disabled as required. Disable features are not shown in the GUI.
Go to System > Feature Visibility to configure which features are available.

FortiProxy 7.0 Administration Guide 444

Fortinet Inc.
System

The following options can be turned on or off by toggling the sliders:

IPv6 Allows you to configure the following IPv6 features from the GUI: network
interface addresses, trusted hosts for administration, static routes, policy routes,
security policies, and firewall addresses.

VPN Creates secure communication channels between networks and allows remote
users to safely connect to secure private networks using SSL-VPN, IPsec VPN,
and FortiClient. Adds the VPN > IPsec Tunnels and VPN > SSL-VPN Settings
menus.

Allow Unnamed Policies Relaxes the requirement for every policy to have a name when created in GUI.

Certificates Controls the visibility of the System > Certificates menu.

Allows you to change the certificates used for SSL inspection, SSL load
balancing, SSL-VPN, IPsec VPN, and authentication. If Certificates is not
enabled, default FortiProxy certificates are used.

ICAP Controls the visibility of the Content Analyses > ICAP Profile, Content Analyses >
ICAP Remote Servers, and Content Analyses > ICAP Local Servers pages.
Allows you to offload services to an external server. These services can include:
ad insertion, virus scanning, content and language translation, HTTP header or
URL manipulation, and content filtering. You can also use this feature to set up
profiles and add them to security policies.

Local Reports Controls whether you cna view PDF security reports in the GUI.

Implicit Firewall Policies Firewall policy lists end with an implicit policy that denies all traffic. Enable this
feature to see these policies on firewall policy lists in the GUI. You can edit an
implicit policy and enable logging to record log messages when the implicit policy
denies a session.

Multiple Interface Policies Allows the configuration of policies with multiple source/destination interfaces.

Multiple Security Profiles Allows you to create more than one antivirus profile, web filter profile, application
sensor, IPS sensor, antispam profile, DLP sensor, VoIP profile (if enabled), and
ICAP profile (if enabled). You can also select the individual UTM profiles in
security policies. Enable multiple UTM profiles if you need different levels of UTM
protection for different traffic streams.

Policy-based IPsec VPN Configures policy-based IPsec tunnels. When enabled, an option is added when
creating phase 1 IPsec tunnels to determine if they are interface based or policy
based. There will also be an option added under Policy & Objects > Policy to
select IPsec as a subtype for VPN policies, and an option to select the IPsec
tunnel to use.

SSL-VPN Personal Bookmark Allows you to view personal bookmarks added by SSL-VPN users to their portal
pages. Adds the VPN > SSL-VPN Personal Bookmarks menu. Also allows you to
delete usersʼ personal bookmarks.

SSL-VPN Realms Allows you to create customized realms for different SSL-VPN users and groups.
Adds the VPN > SSL-VPN Realms menu. Allows you to associate realms with
users and groups in the Authentication/Portal Mapping table under VPN > SSL-
VPN Settings.

FortiProxy 7.0 Administration Guide 445

Fortinet Inc.
 System

Traffic Shaping Allows you to configure policies to define how specific types of traffic are shaped
by the FortiProxy unit.

Anti-Spam Filter Controls the visibility of the Security Profiles > Anti-Spam menu.
Allows you to detect and filter spam. Set up anti-spam profiles (under Security
Profiles > Anti-Spam) and add them to firewall policies. Some features require a
subscription to FortiGuard Anti-Spam.

AntiVirus Controls the visibility of the Security Profiles > AntiVirus menu.
Allows you to remove viruses, analyze suspicious files with FortiSandbox, and
apply botnet protection to network traffic. Set up antivirus profiles (Security
Profiles > AntiVirus) and add them to firewall policies. This feature requires a
subscription to FortiGuard AntiVirus.

Application Control Controls the visibility of the Security Profiles > Application Control menu.
Allows you to visualize and control the applications on your network. Set up
application sensors (under Security Profiles > Application Control) and add them
to firewall policies. This feature requires a subscription to Application Control
Signatures.

DLP Controls the visibility of the Security Profiles > Data Leak Prevention menu.
Allows you to prevent sensitive data, like credit card and social security numbers,
from leaving or entering your network. Set up DLP sensors (under Security
Profiles > Data Leak Prevention) and add them to firewall policies.

DNS Filter Controls the visibility of the Security Profiles > DNS Filter menu.
Allows you to apply DNS category filtering, URL filtering to control a userʼs access
to web resources. Set up DNS filter profiles (under Security Profiles > DNS Filter)
and add them to firewall policies or add them to a DNS server on a FortiProxy
interface. Some features require a subscription to FortiGuard Web Filtering.

Intrusion Prevention Controls the visibility of the Security Profiles > Intrusion Prevention menu.
Allows you to detect and block network-based attacks. You can set up IPS
sensors (under Security Profiles > Intrusion Prevention) and add them to security
policies. This feature requires a subscription to FortiGuard IPS.

Web Filter Controls the visibility of the Security Profiles > Web Filter menu.
Allows you to apply web category filtering, URL filtering, and content filtering to
control user's access to web resources. You can set up web filter profiles
(Security Profiles > Web Filter) and add them to firewall policies. Some features
require a subscription to FortiGuard Web Filtering.

Certificates

There are three types of certificates that FortiProxy units use:

l Local certificates—Local certificates are issued for a specific server or web site. Generally they are very specific and
often for an internal enterprise network.
l CA certificates—External CA certificates are similar to local certificates, except they apply to a broader range of
addresses or to whole company. A CA certificate would be issued for an entire web domain, instead of just a single

FortiProxy 7.0 Administration Guide 446

Fortinet Inc.
 System

web page. External CA certificates can be deleted, downloaded, and their details can be viewed, in the same way
as local certificates.
l Remote certificates—These remote certificates are public certificates without private keys. They can be deleted,
imported, and downloaded, and their details can be viewed in the same way as local certificates.
The FortiProxy unit generates a certificate request based on the information you entered to identify the FortiProxy unit.
After you generate a certificate request, you can download the request to a computer that has management access to
the FortiProxy unit and then forward the request to a CA.
The certificate window also enables you to export certificates for authentication, importing, and viewing.
This section describes the following:
l Certificate list on page 447
l Certificate Signing Requests on page 448
l Import a local certificate on page 451
l Import a CA certificate on page 454
l Upload a remote certificate on page 454
l Import a CRL on page 454
l View certificate details on page 455
l Default certificate authority on page 455

Certificate list

To see a list of certificates that have been imported, go to System > Certificates.

Hover over the leftmost edge of the column heading to display the Configure Table icon, which you can use to select the
columns to display or to reset all the columns to their default settings. You can also drag column headings to change
their order.
The following options are available:

Create Import l Create or import a local certificate (see Import a local certificate on page 451)
l Generate a CSR (see Certificate Signing Requests on page 448)

FortiProxy 7.0 Administration Guide 447

Fortinet Inc.
 System

l Import a CA certificate (see Import a CA certificate on page 454)

l Upload a remote certificate (see Upload a remote certificate on page 454)
l Import a CRL (see Import a CRL on page 454)

Edit Highlight a certificate and select to edit the certificate comments. This command
is only available on some certificates.

Delete Select a certificate and select Delete to remove the selected certificate or CSR.
Click OK in the confirmation dialog box to proceed with the delete action.
To remove multiple certificates or CSRs, select multiple rows in the list by holding
down the Ctrl or Shift keys and then select Delete.

View Details View a certificate. See View certificate details on page 455.

Download Select a certificate or CSR and then select Download to download that certificate
or CSR to your management computer.

Search Enter a search term to search the certificate list.

Name The name of the certificate.

Subject The subject of the certificate.

Comments Comments.

Issuer The issuer of the certificate.

Expires Displays the certificateʼs expiration date and time.

Status The status of the certificate or CSR.

l OK: the certificate is okay.

l NOT AVAILABLE: the certificate is not available, or the request was rejected.
l PENDING: the certificate request is pending.

Source The source of a certificate can be Factory, User, or FortiGuard.

Ref. Displays the number of times the certificate or CSR is referenced to other objects.
To view the location of the referenced object, select the number in Ref., and the
Object Usage window appears displaying the various locations of the referenced
object.

Certificate Signing Requests

Whether you create certificates locally or obtain them from an external certificate service, you need to generate a
Certificate Signing Request (CSR).
When a CSR is generated, a private and public key pair is created for the FortiProxy unit. The generated request
includes the public key of the device, and information such as the unit’s public static IP address, domain name, or email
address. The device’s private key remains confidential on the unit.
After the request is submitted to a CA, the CA verifies the information and register the contact information on a digital
certificate that contains a serial number, an expiration date, and the public key of the CA. The CA then signs the
certificate, after which you can install the certificate on the FortiProxy device.

FortiProxy 7.0 Administration Guide 448

Fortinet Inc.
System

To generate a CSR:

1. Go to System > Certificates and click Create/Import > Generate CSR. The Generate Certificate Signing Request
page opens.

FortiProxy 7.0 Administration Guide 449

Fortinet Inc.
System

2. Enter the following information:

Certificate Name Enter a unique name for the certificate request, such as the host name or the
serial number of the device.
Do not include spaces in the certificate to ensure compatibility as a PKCS12
file.

Subject Information Select the ID type:

l Host IP: Select if the unit has a static IP address. Enter the device’s IP

address in the IP field.

l Domain Name: Enter the device’s domain name or FQDN in the Domain
Name field.
l E-mail: Enter the email address of the device’s administrator in the E-mail
field.

Optional Information Optional information to further identify the device.

Organization Unit Enter the name of the department. Up to 5 OUs can be added.

Organization Enter the legal name of the company or organization.

Locality (City) Enter the name of the city where the unit is located.

State/Province Enter the name of the state or province where the unit is located.

Country/Region Enable and then enter the country where the unit is located. Select from the
drop-down list.

E-Mail Enter the contact email address.

Subject Alternative Name Enter one or more alternative names, separated by commas, for which the
certificate is also valid.
An alternative name can be: email address, IP address, URI, DNS name, or a
directory name.
Each name must be preceded by its type, for example: IP:1/2/3/4, or URL:
http://your.url.here/.

Password for private key Enter a password for the private key.

Key Type Select RSA or Elliptic Curve. The default is RSA.

Key Size If you selected RSA for the Key Type, select the key size: 1024 Bit, 1536 Bit,
2048 Bit, or 4096 Bit. The default is 2048 Bit.
Larger key sizes are more secure but slower to generate.

Curve Name If you selected Elliptic Curve for the Key Type, select the curve name:
secp256r1, secp384r1, or secp521r1.

Enrollment Method Select the enrollment method. The default is File Based.
l File Based: Generate the certificate request.

l Online SCEP: Obtain a signed, Simple Certificate Enrollment Protocol

(SCEP) based certificate automatically over the network. Enter the CA
server URL and challenge password in their respective fields.

3. Click OK to generate the CSR.

FortiProxy 7.0 Administration Guide 450

Fortinet Inc.
 System

Import a local certificate

Local certificates are issued for a specific server, or web site. Generally they are very specific, and often for an internal
enterprise network. For example, a personal web site for John Smith at www.example.com (such as
http://www.example.com/home/jsmith) would have its own local certificate.
These can optionally be just the certificate file or also include a private key file and PEM passphrase for added security.
Signed local certificates can be imported to the FortiProxy unit.

To import a local certificate:

1. Go to System > Certificates and click Create/Import > Certificate. The Import Certificate page opens.
2. Select the Type:
l If the Type is Local Certificate, select Upload and locate the certificate file on your computer.
l If the Type is PKCS #12 Certificate, select Upload and locate the certificate with key file on your computer.
Select Change to enter the password in the Password field.
l If the Type is Certificate, select Upload and locate the certificate file on your computer. Select Upload and
locate the key file on your computer. Select Change to enter the password in the Password field.
3. Click OK to import the certificate.

ACME certificate support

The Automated Certificate Management Environment (ACME), as defined in RFC 8555, is used by the public Let's
Encrypt certificate authority (https://letsencrypt.org) to provide free SSL server certificates. The FortiProxy unit can be
configured to use certificates that are manged by Let's Encrypt, and other certificate management services, that use the
ACME protocol. The server certificates can be used for secure administrator log in to the FortiProxy unit.
l The FortiProxy unit must have a public IP address and a hostname in DNS (FQDN) that resolves to the public IP
address.
l The configured ACME interface must be public facing so that the FortiProxy unit can listen for ACME update
requests. It must not have any VIPs, or port forwarding on port 80 (HTTP) or 443 (HTTPS).
l The Subject Alternative Name (SAN) field is automatically filled with the FortiProxy DNS hostname. It cannot be
edited, wildcards cannot be used, and multiple SANs cannot be added.
NOTE: To configure certificates in the GUI, go to System > Feature Visibility and enable Certificates.

To import an ACME certificate in the GUI:

1. Go to System > Certificates and click Create/Import > Certificate.

2. Set Type to Automated.
3. Set Certificate name to an appropriate name for the certificate.
4. Set Domain to the public FQDN of the FortiProxy unit.
5. Set Email to a valid email address. The email is not used during the enrollment process.
6. Ensure that ACME service is set to Let's Encrypt.

FortiProxy 7.0 Administration Guide 451

Fortinet Inc.
System

7. Configure the remaining settings as required and then click OK.

8. If this is the first time enrolling a server certificate with Let's Encrypt on this FortiProxy unit, the Set ACME Interface
pane opens. Select the interface that the FortiProxy unit communicates with Let's Encrypt on and then click OK.

The ACME interface can later be changed in System > Settings.

FortiProxy 7.0 Administration Guide 452

Fortinet Inc.
System

9. Select the new server certificate in the Local Certificate list and then click View Details to verify that the FortiProxy
unit's FQDN is in the certificate's Subject: Common Name (CN).
The Remote CA Certificate list includes the issuing Let's Encrypt intermediate CA, issued by the public CA DST
Root CA X3 from Digital Signature Trust Company.

To exchange the default FortiProxy administration server certificate for the new public Let's Encrypt
server certificate in the GUI:

1. Go to System > Settings.

2. Set the HTTPS server certificate to the new certificate.
3. Click Apply.
4. Log in to the FortiProxy unit using an administrator account from any Internet browser. There should be no warnings
related to nontrusted certificates, and the certificate path should be valid.

To import an ACME certificate in the CLI:

1. Set the interface that the FortiProxy unit communicates with Let's Encrypt on:
config system acme
set interface port1
end
2. Make sure that the FortiProxy unit can contact the Let's Encrypt enrollment server:
FortiProxy-400E # execute ping acme-v02.api.letsencrypt.org
PING ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com (172.65.32.248): 56 data bytes
64 bytes from 172.65.32.248: icmp_seq=0 ttl=56 time=4.8 ms
64 bytes from 172.65.32.248: icmp_seq=1 ttl=56 time=4.5 ms
64 bytes from 172.65.32.248: icmp_seq=2 ttl=56 time=4.5 ms
64 bytes from 172.65.32.248: icmp_seq=3 ttl=56 time=4.5 ms
64 bytes from 172.65.32.248: icmp_seq=4 ttl=56 time=4.5 ms

--- ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com ping statistics ---

5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 4.5/4.5/4.8 ms

3. Configure the local certificate request:

config vpn certificate local
edit "acme-test"
set enroll-protocol acme2
set acme-domain "test.ftntlab.de"
set acme-email "techdoc@fortinet.com"
next
By enabling this feature you declare that you agree to the Terms of Service at
https://acme-v02.api.letsencrypt.org/directory
Do you want to continue? (y/n)y
end
4. Verify that the enrollment was successful:
# get vpn certificate local details acme-test

To exchange the default FortiProxy administration server certificate for the new public Let's Encrypt
server certificate in the CLI:

config system global

set admin-server-cert "acme-test"

FortiProxy 7.0 Administration Guide 453

Fortinet Inc.
 System

end

When you log in to the FortiProxy unit using an administrator account, there should be no warnings related to nontrusted
certificates, and the certificate path should be valid.

Import a CA certificate

CA root certificates are similar to local certificates, however they apply to a broader range of addresses or to whole
company; they are one step higher up in the organizational chain. Using the local certificate example, a CA root
certificate would be issued for all of www.example.com instead of just the smaller single web page.
CA certificates can be imported to the FortiProxy unit.

To import a CA certificate:

1. From the Certificates page, select Import > CA Certificate. The Import CA Certificate page opens.
2. Select the Type:
l If you select Online SCEP (Simple Certificate Enrollment Protocol), enter the URL of the SCEP server and
optional CA identifier.
l If you select File, select Upload and locate the certificate file on your computer.
3. Click OK to import the certificate.

Upload a remote certificate

Remote certificates are public certificates without a private key. Remote certificates can be uploaded to the FortiProxy
unit.

To upload a remote certificate:

1. From the Certificates page, select Import > Remote Certificate. The Upload Remote Certificate page opens.
2. Select Upload and locate the certificate file on your computer.
3. Click OK to upload the certificate.

Import a CRL

Certificate revocation list (CRL) is a list of certificates that have been revoked and are no longer usable. This list includes
certificates that have expired, been stolen, or otherwise compromised. If your certificate is on this list, it will not be
accepted. CRLs are maintained by the CA that issues the certificates and includes the date and time when the next CRL
will be issued as well as a sequence number to help ensure you have the most current version of the CRL.
CRLs can be imported to the FortiProxy unit.

To import a certificate revocation list:

1. From the Certificates page, select Import > CRL. The Import CRL page opens.
2. Select File Based or Online Updating.

FortiProxy 7.0 Administration Guide 454

Fortinet Inc.
 System

If you select File Based, select Upload and locate the certificate file on your computer. If you select Online Updating,
configure the following settings:
l HTTP: If you enable HTTP updating, enter the URL of the HTTP server.
l LDAP: If you enable LDAP updating, select or search for the LDAP server, enter the user name, and select
Change to enter the password in the Password field.
l SCEP: If you enable SCEP updating, select a local certificate for SCEP communication for the online CRL and
enter the URL of the SCEP server.
3. Click OK to import the CRL.

View certificate details

Certificate details can be viewed by selecting a certificate and then selecting View Details from the toolbar.
The following information is displayed:

Certificate Name The name of the certificate.

Serial Number The serial number of the certificate.

Subject Information The subject information of the certificate, including:

l Common Name (CN)

l Organization (O)

l Organization Unit (OU)

l Locality (L)

l State (ST)

l Country (C)

l Email Address

Issuer The issuer information of the certificate, including most of the information from
Subject Information.

Validity Period Displays the Valid From and the expiration Valid To date of the certificate. The
certificate should be renewed before this expiration date.

Fingerprints The identifying fingerprint of the certificate.

Extension The certificate extension information.

Select Close to return to the certificate list.

Default certificate authority

Default certificate authorities (CA) can be configured and, by default, web-proxy and ssl-ssh-profile use the default CAs:
config firewall ssl default-certificate
set default-ca "Fortinet_CA_SSL"
set default-untrusted-ca "Fortinet_CA_Untrusted"
set default-server-cert "Fortinet_Factory"
end
config web-proxy global
set ssl-cert "default-server-cert"

FortiProxy 7.0 Administration Guide 455

Fortinet Inc.
System

set ssl-ca-cert "default-ca"

end
confir firewall ssl-ssh-profile
edit 1
set caname "default-ca"
set untrusted-caname "default-untrusted-ca"
next
end

The CA can be changed by either changing the default, or by setting a specific default for the web-proxy or ssl-ssh-
profile. For example, to change the web-proxy CAs, but not the defaults:
config web-proxy global
set ssl-cert "Personal_Server_CA"
set ssl-ca-cert "Personal_CA"
end

FortiProxy 7.0 Administration Guide 456

Fortinet Inc.
Security Fabric

The Fortinet Security Fabric provides a visionary approach to security that allows your organization to deliver intelligent,
powerful, and seamless security. Fortinet offers security solutions for endpoints, access points, network elements, the
data center, applications, cloud, and data, designed to work together as an integrated security fabric that can be
integrated, analyzed, and managed to provide end-to-end protection for your network. Your organization can also add
third-party products that are members of the Fortinet Fabric-Ready Partner Program to the Security Fabric.
All elements in the Security Fabric work together as a team to share policy, threat intelligence, and application flow
information. This collaborative approach expands network visibility and provides fast threat detection in real time and the
ability to initiate and synchronize a coordinated response, no matter which part of the network is being compromised.
The Security Fabric allows your network to automatically see and dynamically isolate affected devices, partition network
segments, update rules, push out new policies, and remove malware.
The Security Fabric is designed to cover the entire attack surface and provide you with complete visibility into your
network. It allows you to collect, share, and correlate threat intelligence between security and network devices, centrally
manage and orchestrate policies, automatically synchronize resources to enforce policies, and coordinate a response to
threats detected anywhere across the extended network. The unified management interface provides you with
cooperative security alerts, recommendations, audit reports, and full policy control across the Security Fabric that will
give you confidence that your network is secure.
This section describes the following topics:
l Fabric Connectors on page 457
l External Connectors on page 458
l Asset Identity Center on page 462

Fabric Connectors

Fabric connectors provide integration with Fortinet products to automate the process of managing dynamic security
updates without manual intervention.

To create a fabric connector:

1. Go to Security Fabric > Fabric Connector.

2. Click on one of the icons.
3. Fill out the fields.
4. Click OK.

Simplify EMS pairing with Security Fabric so one approval is needed for all devices

Starting in FortiProxy 7.0.0, FortiClient EMS with Fabric authorization and silent approval capabilities will be able to
approve the root FortiProxy unit in a Security Fabric once and then silently approve remaining downstream FortiProxy

FortiProxy 7.0 Administration Guide 457

Fortinet Inc.
Security Fabric

units in the Fabric. Similarly in an HA scenario, an approval only needs to be made once to the HA primary unit. The
remaining cluster members are approved silently.

To use EMS silent approval:

1. Configure the EMS entry on the root FortiProxy unit or HA primary:

config endpoint-control fctems
edit "ems139"
set fortinetone-cloud-authentication disable
set server "172.16.200.139"
set https-port 443
set source-ip 0.0.0.0
set pull-sysinfo enable
set pull-vulnerabilities enable
set pull-avatars enable
set pull-tags enable
set pull-malware-hash enable
unset capabilities
set call-timeout 30
set websocket-override disable
next
end

When the entry is created, the capabilities are unset by default.

2. Authenticate the FortiProxy unit with EMS:
# execute fctems verify ems_139
...

The FortiProxy unit enables the Fabric authorization and silent approval based on the EMS supported capabilities.
config endpoint-control fctems
edit "ems139"
set server "172.18.62.12"
set capabilities fabric-auth silent-approval websocket
next
end

3. Configure a downstream device in the Security Fabric. The downstream device is silently approved.
4. Configure a secondary device in an HA system. The secondary device is silently approved.

External Connectors

You can use external connectors to connect your FortiProxy unit to public and private cloud solutions. By using an
external connector, you can ensure that changes to cloud environment attributes are automatically updated in the
Security Fabric. You can use external connector address objects to create policies that provide dynamic access control
based on cloud environment attribute changes. There is no need to manually reconfigure addresses and policies
whenever changes to the cloud environment occur.
There are four steps to creating and using an external connector:
1. Gather the required information. The required information depends on which public or private cloud solution SDN
connector you are configuring.

FortiProxy 7.0 Administration Guide 458

Fortinet Inc.
 Security Fabric

2. Create the external connector.

3. Create an external connector address.
4. Add the address to a firewall policy.
The following provides general instructions for creating an external connector and using the dynamic address object in a
firewall policy.

To create an SDN connector in the GUI:

1. Go to Security Fabric > External Connectors.

2. Click Create New.
3. Click the desired public or private cloud.
4. Enter the Name, Status, and Update interval for the connector.
5. Enter the previously collected information for the connector as needed.
6. Click OK.

To create an SDN connector in the CLI:

config system sdn-connector

edit <name>
set status {enable | disable}
set type {connector type}
...
set update-interval <integer>
next
end

The available CLI commands vary depending on the selected SDN connector type.

External threat feeds

Threat feeds dynamically import an external block list from an HTTP server in the form of a plain text file, or from a
STIX/TAXII server. Block lists can be used to enforce special security requirements, such as long term policies to always
block access to certain websites, or short term requirements to block access to known compromised locations. The lists
are dynamically imported, so that any changes are immediately imported by FortiProxy.
FortiProxy can also download external threat feeds as a downstream-proxy in an isolated environment, where the
upstream-proxy only has internet access. All SWG functions, including SSL deep-inspection, are performed by the
downstream proxy. FDS updates and management is done on the FortiManager.
You can define 511 thread feed entries using either the GUI or CLI.

To configure an external threat feed connector in the GUI:

1. Go to Security Fabric > External Connectors and click Create New.

2. In the Threat Feeds section, click one of the icons.
3. Configure the settings as needed.
4. Click OK.

FortiProxy 7.0 Administration Guide 459

Fortinet Inc.
Security Fabric

To configure an external threat feed connector in the CLI:

config system external-resource

edit <name>
set status {enable | disable}
set type {category | address | domain | malware | url}
set category <integer>
set username <string>
set password <string>
set comments <string>
set resource <uri>
set user-agent <string>
set refresh-rate <integer>
set source-ip <ip_address>
set interface-select-method {auto | sdwan | specify}
set interface <interface>
set proxy <proxy_server>
set proxy-port <port>
set proxy-username <username>
set proxy-password <password>
next
end

status {enable | disable} Enable/disable the user resource.

type {category | address User resource type:
| domain | malware | l category: FortiGuard category
url}
l address: Firewall IP address
l domain: Domain name
l malware: Malware hash
l url: URL List
category <integer> User resource category. This option is only available when type is category or
domain.
username <string> HTTP basic authentication user name.
password <string> HTTP basic authentication password.
comments <string> Comments.
*resource <uri> URI of the external resource.
*user-agent <string> HTTP User-Agent header (default = 'curl/7.58.0').
*refresh-rate <integer> Time interval to refresh external resource, in minutes (1 - 43200, default = 5).
source-ip <ip_address> Source IPv4 address used to communicate with server.
interface-select-method Specify how to select outgoing interface to reach server:
{auto | sdwan | l auto: Set the outgoing interface automatically
specify}
l sdwan: Set the outgoing interface by SD-WAN or policy routing rules
l specify: Set the outgoing interface manually

FortiProxy 7.0 Administration Guide 460

Fortinet Inc.
 Security Fabric

interface <interface> Specify outgoing interface to reach server. This option is only available when
interface-select-method is specify.
proxy <proxy_server> Proxy server host (IP or domain name).
proxy-port <port> Port number that the proxy server expects to receive HTTP sessions on (1 -
65535, default = 8080).
proxy-username <username> HTTP proxy basic authentication user name.
proxy-password <password> HTTP proxy basic authentication password.

Malware hashes

The malware hash threat feed connector supports a list of file hashes that can be used as part of virus outbreak
prevention. The FortiProxy unit can retrieve an external malware hash list from a remote server and poll the hash list
every n minutes for updates. The external malware hash list can include MD5, SHA1, and SHA256 hashes.
Just like FortiGuard Outbreak Prevention, the external dynamic block list is not supported in AV quick scan mode.
Using different types of hash simultaneously can slow down the performance of malware scanning. For this reason,
Fortinet recommends using only one type of hash on a list (MD5, SHA1, or SHA256), not all three simultaneously.

To create a malware hash connector in the GUI:

1. Go to Security Fabric > External Connectors and click Create New.

2. In the Threat Feeds section, click Malware Hash.
3. Enter a name for the malware hash file.
4. Enter the URI for the malware hash file.
5. Click OK.

To create a malware hash connector in the CLI:

config system external-resource

edit <external_resource_name>
set type malware
set resource <string>
next
end

IP addresses

You can use the external block list (threat feed) for web filtering and DNS. You can also use external block list (threat
feed) in firewall policies.

To create an external IP list object:

Create a plain text file with one IP address, IP address range, or subnet per line. For example:
192.168.2.100
172.200.1.4/16

FortiProxy 7.0 Administration Guide 461

Fortinet Inc.
Security Fabric

172.16.1.2/24
172.16.8.1-172.16.8.100
2001:0db8::eade:27ff:fe04:9a01/120
2001:0db8::eade:27ff:fe04:aa01-2001:0db8::eade:27ff:fe04:ab01

To use an external IP list object:

1. Go to Security Fabric > External Connectors and click Create New.

2. In the Threat Feeds section, click IP Address.
3. In the URI of external resource field, enter the link to the external IP list object.
4. Click OK.

Asset Identity Center

The Asset Identity Center page unifies information from detected addresses, devices, and users into a single page, while
building a data structure to store the user and device information in the backend. Asset view groups information by
Device, while Identity view groups information by User. Hover over a device or a user in the GUI to perform different
actions relevant to the object, such as adding a firewall device address, adding an IP address, banning the IP address,
quarantining the host, and more.

To view the Asset Identity Center page:

1. Go to Security Fabric > Asset Identity Center.

2. Click Asset to view information by device. The available columns are Device, Software OS, Hardware, FortiClient
User, User, Status, Vulnerabilities, Endpoint Tags, and Last Seen. The optional columns are Address, Firewall
Address, Hostname, IP Address, and Server.

3. Click Identity to view information by user. The available columns are User, Device, and Properties. The optional
columns are IP Address, Logoff Time, and Logon Time.

FortiProxy 7.0 Administration Guide 462

Fortinet Inc.
 Security Fabric

Each view has a dropdown option to view the information within different time frames (Latest, 1 hour, 24 hours, and
7 days). Vulnerability information is displayed when applicable. The page displays user and device relationships,
such as which users are logged in to multiple devices or if multiple users are logged in to single devices.

4. Hover over a device in the list to view the tooltip and possible actions. In this example, the available actions are add
firewall device address, add firewall IP address, and ban the IP.

Diagnostics for the unified user device store

The following options are available for diagnose user-device-store unified <option>:

Option Description
device-memory-query Get device records and associated user records from memory.
device-query Get device records and associated user records from memory and disk.

FortiProxy 7.0 Administration Guide 463

Fortinet Inc.
Security Fabric

Option Description
user-memory-query Get user records and associated device records from memory.
user-query Get user records and associated device records from memory and disk.
re-query Retrieve query by <query-id> <iteration-start> <iteration-count>
(takes 0-3 arguments).
list List unified queries.
clear Delete all unified queries.
dump Dump unified query stats by <query-id> (takes 0-1 arguments).
delete Delete unified query by <query-id> (takes 0-1 arguments).
stats Get statistics for unified queries.
debug Enable/disable debug logs for unified queries.

FortiProxy 7.0 Administration Guide 464

Fortinet Inc.
Log & Report

The Log & Report menu allows you to view and download reports and traffic, event, and security logs. Logging,
archiving, and user interface settings can also be configured.
This section describes the following:
l Types of logs on page 467
l Local Reports on page 470
l Log Settings on page 470
l Threat Weight on page 474
l Email Alert Settings on page 475
The log messages are a record of all of the traffic that passes through the FortiProxy device, and the actions taken by the
device while scanning said traffic.
After a log message is recorded, it is stored in a log file. The log files can be stored on the FortiProxy device itself, on a
connected FortiManager or FortiAnalyzer device, or on a FortiCloud server (you must have a FortiCloud subscription
before you can configure the FortiProxy device to send logs to a FortiCloud server). The FortiProxy device’s system
memory or local disk can be configured to store logs.

The HTTP response code returned by the upstream content server has been added to the
FortiProxy logs to aid in the debugging of content failures.

Each page of log messages contains the following controls.

Refresh Select Refresh to refresh the log list.

Download Log Select Download Log to download the raw log file to your local computer. The log
file can be viewed in any text editor.

Add Filter When you select the Add Filter button, a drop-down list appears with a list of
available filtering options. Available options differ based on which log is currently
being viewed.

Log Location The location where the displayed logs are stored.

Details Details about the selected log message. The information displayed varies
depending on the type of log message selected.

Log list The log messages.

The available columns vary depending on the type of log being viewed. Hover
over the leftmost edge of the column heading to display the Configure Table icon,
which you can use to select the columns to display or to reset all the columns to
their default settings. You can also drag column headings to change their order.

Page navigation Navigate to different pages of the log list. The total number of log messages are
also shown.

FortiProxy 7.0 Administration Guide 465

Fortinet Inc.
Log & Report

Debug logs

Customer Support might request a copy of your debug logs for troubleshooting.

To download the debug logs:

1. Go to System > Advanced.

2. Select Download Debug Logs in the Debug Logs section.

Logs for the execution of CLI commands

Starting in FortiProxy 7.0.0, the cli-audit-log option records the execution of CLI commands in system event logs
(log ID 44548). In addition to execute and config commands, show, get, and diagnose commands are recorded in
the system event logs.
The cli-audit-log data can be recorded on memory or disk and can be uploaded to FortiAnalyzer or a syslog server.

To enable the CLI audit log option:

config system global 

set cli-audit-log enable 
end

To display the logs:

# execute log filter device disk

# execute log filter category event
# execute log filter field subtype system
# execute log filter field logid 0100044548
# execute log display

Filter WAD log messages by process types or IDs

WAD log messages can be filtered by process types or IDs. Multiple process type filters can be configured, but only one
process ID filter can be configured.
# diagnose wad filter process-type <integer>
# diagnose wad filter process-id <integer>

diagnose wad filter Select process type to filter by (0 - 17, 0 = disable):

process-type l 1 = manager
<integer>
l 2 = dispatcher
l 3 = worker
l 4 = algo
l 5 = informer

FortiProxy 7.0 Administration Guide 466

Fortinet Inc.
Log & Report

l 6 = user-info
l 7 = cache-service-cs
l 8 = cache-service-db
l 9 = cert-inspection
l 10 = YouTube-filter-cache-service
l 11 = user-info-history
l 12 = debug
l 13 = config-notify
l 14 = object-cache
l 15 = byte-cache
l 16 = traffic aggregator
l 17 = preload daemon
diagnose wad filter Select process id to filter by (0 = disable).
process-id <integer>

To configure multiple filters:

# diagnose wad filter process-type 1

# diagnose wad filter process-type 3
# diagnose wad filter process-type 16
# diagnose wad filter process-id 1115

To view the configured filters:

# diagnose wad filter list

drop unknown sessions: disabled
process type:
manager
worker
traffic aggregator
process id: 1115

Types of logs

The Log & Report menu allows you to view traffic logs, event logs, and security logs:

Traffic logs

Forward Traffic The forward traffic log includes log messages for traffic that passes through the
FortiProxy device. It includes both traffic and security log messages so that
messages about security events can be viewed alongside messages about the
traffic at the time of the event.
See also Forward traffic and HTTP transaction logs' client IP address on page
474.

HTTP Transaction HTTP transaction-related traffic log.

FortiProxy 7.0 Administration Guide 467

Fortinet Inc.
Log & Report

See also Forward traffic and HTTP transaction logs' client IP address on page
474.

Local Traffic The local traffic log includes messages for traffic that terminates at the FortiProxy
unit, either allowed or denied by a local policy.

Sniffer Traffic The sniffer log records all traffic that passes through a particular interface that has
been configured to act as a One-Armed Sniffer, so it can be examined separately
from the rest of the traffic logs.

ZTNA Traffic

Event logs

System Events General system events.

Router Events Events relating to layer-3 routing.

VPN Events Events relating to VPN.

User Events Events relating to users.

HA Events Events relating to HA

Security Rating Events relating to Security Rating.

Events

WAN Opt. & Cache Events relating to WAN optimization and cache.
Events

SDN Connector Events relating to Fabric connectors.

Events

CIFS Events Events relating to CIFS.

REST API Events The REST API events log subtype logs POST, PUT, DELETE, and GET REST
API requests. They can be enabled or disabled in the CLI:
config log setting
set rest-api-set {enable | disable}
set rest-api-get {enable | disable}
end

Security logs

AntiVirus The antivirus log records when, during the antivirus scanning process, the
FortiProxy unit finds a match within the antivirus profile, which includes the
presence of a virus or grayware signature.

Content Analyses

Web Filter The web filter log records HTTP log rating errors, including web content blocking
actions that the FortiProxy device performs. It also includes how long it takes to
scan the HTTP request, the client request host header, the client request host
inside of the request line, and the server response code.

SSL Records detected and blocked malicious SSL connections.

FortiProxy 7.0 Administration Guide 468

Fortinet Inc.
Log & Report

DNS Query The DNS query log messages include details of each DNS query and response.
DNS log messages are recorded for all DNS traffic though the FortiProxy unit and
originated by the FortiProxy unit.
The detailed DNS log can be used for low-impact security investigation. Most
network activity involves DNS activity of some kinds. Analyzing the DNS log can
provide a lot of details about the activity on your network without using resource-
intensive techniques.

File Filter Records file filter events.

Data Leak The data leak prevention (DLP) log provides valuable information about the
Prevention sensitive data trying to get through to your network as well as any unwanted data
trying to get into your network.
The DLP log can record the following traffic types:
l email (SMTP, POP3, or IMAP; if SSL content, SMTPS, POP3S, and IMAPS)

l HTTP
l HTTPS
l FTP
l NNTP
l IM

Application Control The Application Control log provides detailed information about the traffic that
internet applications such as Skype are generating. The Application Control
feature controls the flow of traffic from a specific application, and the FortiProxy
unit examines this traffic for signatures that the application generates.
The log messages that are recorded provide information such as the type of
application being used (such as P2P software), and what type of action the
FortiProxy unit took. These log messages can also help you to determine the top
ten applications that are being used on your network. This feature is called
Application Control monitoring and you can view the information from a widget on
the Executive Summary page.
The Application Control list that is used must have logging enabled within the list,
as well as logging enabled within each application entry. Each application entry
can also have packet logging enabled. Packet logging for Application Control
records the packet when an application type is identified, similar to IPS packet
logging.
Logging of Application Control activity can only be recorded when an Application
Control list is applied to a firewall policy, regardless of whether or not logging is
enabled within the Application Control list.

Intrusion The Intrusion Prevention log, also referred to as the attack log, records attacks
Prevention that occurred against your network. Attack logs contain detailed information about
whether the FortiProxy unit protected the network using anomaly-based defense
settings or signature-based defense settings, as well as what the attack was.

FortiProxy 7.0 Administration Guide 469

Fortinet Inc.
Log & Report

The Intrusion Prevention or attack log file is especially useful because the log
messages that are recorded contain a link to the FortiGuard Center, where you
can find more information about the attack. This is similar to antivirus logs, where
a link to the FortiGuard Center is provided as well that informs you of the virus that
was detected by the FortiProxy unit.
An Intrusion Prevention sensor with log settings enabled must be applied to a
firewall policy so that the FortiProxy unit can record the activity.

Anomaly Protocol anomaly attacks involve malformed or corrupt packets that typically fall
outside of protocol specifications. These packets are not seen on a production
network. Protocol anomaly attacks exploit poor programming practices when
decoding packets, and are typically used to maliciously impair system
performance or elevate privileges.

Anti-Spam The FortiGuard Antispam Service uses both a sender IP reputation database and
a spam signature database, along with sophisticated spam filtering tools on
Fortinet appliances and agents, to detect and block a wide range of spam
messages. Updates to the IP reputation and spam signature databases are
provided continuously by the FDN.

Local Reports

Reports provide a clear, concise overview of what is happening on your network based on log data and can be
customized to serve different purposes.
To create local reports, you need to enable disk logging and local reports in Log & Report > Log Settings.
Local reports are created from logs stored on the FortiProxy unit’s hard drive. These reports, generated by the FortiProxy
unit itself, provide a central overview of traffic and security features on the FortiProxy unit. The default report compiles
security feature activity from various security-related logs, such as virus and attack logs.
On the Log & Report > Local Reports page, you can set the frequency and timing of auto-generated reports.
You can select Generate Now on the Local Reports page to immediately create a report. After generating a report, select
it from the list and then select View.
Local reports are marked as “Schedule-default” if created automatically or “On-Demand-default” if created by selecting
Generate Now.

Log Settings

The type and frequency of log messages you intend to save determines the type of log storage to use. For example, if
you want to log traffic and content logs, you need to configure the unit to log to a syslog server. The FortiProxy system
disk is unable to log traffic and content logs because of their frequency and large file size.
Storing log messages to one or more locations, such as a syslog server, might be a better solution for your logging
requirements than the FortiProxy system disk.
This topic contains information about logging to FortiAnalyzer or FortiManager units, a syslog server, and to disk.

FortiProxy 7.0 Administration Guide 470

Fortinet Inc.
Log & Report

To configure log settings, go to Log > Log Settings.

FortiProxy 7.0 Administration Guide 471

Fortinet Inc.
 Log & Report

Configure the following settings:

Memory Enable to store logs in the unit’s memory.

Disk Enable to store logs on the unit’s disk. Enabling disk logging is required to
produce data for all FortiView consoles. Logs older than 7 days are deleted from
the disk.

Enable Local Reports Enable to create local reports.

Enable Historical FortiView Enabling Historical FortiView is required to product data for all FortiView
consoles.

Send Logs to Select to send logs to a FortiAnalyzer or a FortiManager unit.

FortiAnalyzer/FortiManager HTTP transaction logs are also sent to a FortiAnalyzer unit to generate additional
details in reports.

IP Address The IP address of the FortiAnalyzer or FortiManager unit.

Select Test Connectivity to test the connectivity with the device.

Upload option Select how often to upload log entries: Real Time, Every Minute, or Every 5
Minutes.

Encrypt log transmission Enable to encrypt logs. Encrypted logs are sent using SSL communication.

Send Logs to FortiCloud This option is not available.

Send Logs to Syslog Enable to send logs to a syslog server.

IP Address/FQDN If you enable Send Logs to Syslog, enter the IP address or fully qualified domain
name of the syslog server.

Log Settings

Event Logging Select All or select Customize and then select the events to log: System activity
event, User activity event, Router activity event, Explicit web proxy event, HA
event, Compliance Check Event, and Security audit event.

Local Traffic Log Select All or select Customize and then select the local traffic to log: Log Allowed
Traffic, Log Denied Unicast Traffic, Log Local Out Traffic, and Log Denied
Broadcast Traffic.

GUI Preferences

Display Logs From Select where logs are displayed from: Memory or Disk.

Resolve Hostnames Enable to resolve host names using reverse DNS lookup.

Resolve Unknown Enable to resolve unknown applications using the Internet Service Database.
Applications

Memory debugging

Memory on FortiProxy might appear high, even on an unloaded system; however, this level is not usually cause for
concern because available memory is used to improve the disk-caching performance and is returned to the system if
needed.

FortiProxy 7.0 Administration Guide 472

Fortinet Inc.
 Log & Report

To enable debugging of memory status in cases of high memory usage and to confirm that there is no issue, use the
following CLI commands to show memory use by each WAD-worker and cache-service memory usages.

CLI syntax

diagnose wad memory <ssl | ssh>

diagnose wad <worker | csvc> memory stats <basic | misc>

The TAC report generated by execute tac report includes the WAD memory usage statistics.

Local logging and archiving

The FortiProxy system can store log messages on disk. It can store traffic and content logs on the system disk or disks.
When the log disk is full, logging to disk can either be suspended, or the oldest logs can be overwritten.

Remote logging to a syslog server

A syslog server is a remote computer running syslog software and is an industry standard for logging. Syslog is used to
capture log information provided by network devices. The syslog server is both a convenient and flexible logging device
because any computer system, such as Linux, Unix, and Intel-based Windows can run syslog software.
When configuring logging to a syslog server, you need to configure the facility and the log file format, which is either
normal or Comma Separated Values (CSV). The CSV format contains commas, whereas the normal format contains
spaces. Logs saved in the CSV file format can be viewed in a spreadsheet application, while logs saved in normal format
are viewed in a text editor because they are saved as plain text files.
Configuring a facility easily identifies the device that recorded the log file. You can choose from many different facility
identifiers, such as daemon or local7.
If you are configuring multiple syslog servers, configuration is available only in the CLI. You can also enable the reliable
delivery option for syslog log messages in the CLI.
If you are configuring multiple syslog servers, configuration is available only in the CLI. You can also enable the reliable
delivery option for syslog log messages in the CLI.
From the CLI, you can enable reliable delivery of syslog messages using the following commands:
config log {syslogd | syslogd2 | syslogd3 |syslogd4} setting
set status enable
set reliable enable
end

The FortiProxy unit implements the RAW profile of RFC 3195 for reliable delivery of log messages. Reliable syslog
protects log information through authentication and data encryption and ensures that the log messages are reliably
delivered in the correct order. This feature is disabled by default.

If more than one syslog server is configured, the syslog servers and their settings appear on
the Log Settings page. You can configure multiple syslog servers in the CLI using the config
log {syslogd | syslogd2 | syslogd3 | syslogd4} settings CLI command.

FortiProxy 7.0 Administration Guide 473

Fortinet Inc.
 Log & Report

You can specify the source IP address of self-originated traffic when configuring a syslog
server; however, this is available only in the CLI.

Forward traffic and HTTP transaction logs' client IP address

The HTTP transaction and Forward session logs include the ClientIP column, that records the client IP address based on
the learn-client-ip configuration. By default, the original-source-ip is recorded.
config web-proxy global
set learn-client-ip {enable | disable}
set learn-client-ip-from-header {true-client-ip x-real-ip x-forwarded-for}
set learn-client-ip-srcaddr <address>
set learn-client-ip-srcaddr6 <address>
end

learn-client-ip {enable | Enable/disable learning the client's IP address from headers (default = disable).
disable}
learn-client-ip-from- Learn client IP address from the specified headers: True-Client-IP, X-Real-IP, and
header {true-client- X-Forwarded-For.
ip | x-real-ip | x-
forwarded-for}
learn-client-ip-srcaddr Source address name (srcaddr or srcaddr6 must be set).
(6) <address>

Threat Weight

Go to Log & Report > Threat Weight to change the threat weight definition.

FortiProxy 7.0 Administration Guide 474

Fortinet Inc.
Log & Report

Email Alert Settings

Alert email messages provide notification about activities or events logged. These email messages also provide
notification about the log severity level, such as a critical or emergency.
You can send alert email messages to up to three email addresses. Alert messages are also logged and can be viewed
from the System Events log file.

FortiProxy 7.0 Administration Guide 475

Fortinet Inc.
 Log & Report

You can use the alert email feature to monitor logs for log messages, and to send email notification about a specific
activity or event logged. For example, if you require notification about administrators logging in and out, you can
configure an alert email that is sent whenever an administrator logs in and out. You can also base alert email messages
on the severity levels of the logs.
Before configuring alert email, you must configure at least one DNS server if you are configuring with an Fully Qualified
Domain Server (FQDN). The FortiProxy unit uses the SMTP server name to connect to the mail server, and must look up
this name on your DNS server. You can also specify an IP address.

The default minimum log severity level is Alert. If the FortiProxy unit collects more than one log
message before an interval is reached, the FortiProxy unit combines the messages and sends
out one alert email.

How to configure email notifications

The following procedure explains how to configure an alert email notification for IPsec tunnel errors, firewall
authentication failure, configuration changes and FortiGuard license expiry.
1. In System > Advanced, under Email Service, enable Use Custom Email Server and configure the SMTP server.
The SMTP server settings allow the FortiProxy unit to know exactly where the email will be sent from, as well as who
to send it to. The SMTP server must be a server that does not support SSL/TLS connections; if the SMTP server
does, the alert email configuration will not work. The FortiProxy unit does not currently support SSL/TLS
connections for SMTP servers.
2. In Log > Email Alert Settings, toggle Enabled, configure the email alert settings as described in the table, and select
Apply to save your changes.

FortiProxy 7.0 Administration Guide 476

Fortinet Inc.
Log & Report

Configure the following settings:

From Enter the source email address.

To Enter up to three target email addresses.

FortiProxy 7.0 Administration Guide 477

Fortinet Inc.
Log & Report

Alert parameter If you select Events, enter the number of minutes in Interval and enable the
events that will cause email alerts to be sent.
If you select Severity, select the event priority level for email alerts to be sent in
the Minimum level drop-down list. The priority level indicates the immediacy and
the possible repercussions of the event. There are eight priority levels from Debug
(lowest priority) to Emergency (highest priority). The default priority level is Alert.

Interval Select the number of minutes between email alerts, from 1 to 99,999 minutes. The
default is 5 minutes.

Intrusion detected Enable to send an email alert when an intrusion is detected.

Virus detected Enable to send an email alert when a virus is detected.

Web Filter blocked traffic Enable to send an email alert when a web filter blocked traffic.

Policy denied traffic Enable to send an email alert when a policy denied traffic.

Disk usage exceeds Enable and enter a percentage to send an email alert when the disk usage
exceeds the specified level. The default is 75%.

FortiGuard renewal due within Enable and enter the number of days to send an email alert before FortiGuard
must be renewed.

Administrator login/logout Enable to send an email alert when an administrator logs in or out of the
FortiProxy unit.

Configuration change Enable to send an email alert when the FortiProxy configuration has been
changed.

Firewall authentication failure Enable to send an email when traffic fails authentication.

HA status change Enable to send an email when there is a change in the HA status.

FortiProxy 7.0 Administration Guide 478

Fortinet Inc.
Appendices

l Perl regular expressions on page 480

l Preload cache content and web crawler on page 482
l Automatic backup to an FTP or TFTP server on page 484
l Custom signature keywords on page 488

FortiProxy 7.0 Administration Guide 479

Fortinet Inc.
Perl regular expressions

The following table lists and describes some examples of Perl regular expressions.

Expression Matches

abc “abc” (the exact character sequence but anywhere in the string).

^abc “abc” at the beginning of the string.

abc$    “abc” at the end of the string.

a|b Either “a” or “b”.

^abc|abc$    The string “abc” at the beginning or at the end of the string.

ab{2,4}c “a” followed by two, three, or four “b”s followed by a “c”.

ab{2,}c “a” followed by at least two “b”s followed by a “c”.

ab*c “a” followed by any number (zero or more) of “b”s followed by a “c”.

ab+c “a” followed by one or more “b”s followed by a “c”.

ab?c “a” followed by an optional “b” followed by a “c”; that is, either “abc” or “ac”.

a.c “a” followed by any single character (not newline) followed by a “c”.

a\.c “a.c” exactly.

[abc] Any one of “a”, “b”, and “c”.

[Aa]bc Either of “Abc” and “abc”.

[abc]+ Any (nonempty) string of “a”s, “b”s and “c”s (such as “a”, “abba”, “acbabcacaa”).

[^abc]+ Any (nonempty) string that does not contain any of “a”, “b”, and “c” (such as “defg”).

\d\d Any two decimal digits, such as 42; same as \d{2}.

/i Makes the pattern case insensitive. For example, /bad language/i blocks any instance of “bad
language” regardless of case.

\w+ A “word”: A nonempty sequence of alphanumeric characters and low lines (underscores), such as
“foo”, “12bar8”, and “foo_1”.

100\s*mk The strings “100” and “mk” optionally separated by any amount of white space (spaces, tabs, and
newlines).

abc\b “abc” when followed by a word boundary (for example, in “abc!” but not in “abcd”).

perl\B “perl” when not followed by a word boundary (for example, in “perlert” but not in “perl stuff”).

\x Tells the regular expression parser to ignore white space that is neither preceded by a backslash
character nor within a character class.
Use this to break up a regular expression into slightly more readable parts.

FortiProxy 7.0 Administration Guide 480

Fortinet Inc.
 Expression Matches

/x Used to add regular expressions within other text.

If the first character in a pattern is forward slash “/”, the “/” is treated as the delimiter. The pattern
must contain a second “/”. The pattern between the “/” is taken as a regular expression, and
anything after the second “/” is parsed as a list of regular expression options (“i”,“x”, and so on). An
error occurs if the second “/” is missing.
In regular expressions, the leading and trailing space is treated as part of the regular expression.

Block common spam phrases

Block common phrases found in spam messages with the following expressions:
/try it for free/i
/student loans/i
/you’re already approved/i
/special[\+\-\*=<>\.\,;!\?%&~#§@\^°\$£€\{\}()\[\]\|\\_1]offer/i

Block purposely misspelled words

Random characters are often inserted between the letters of a word to bypass spam-blocking software. The following
expressions can help to block those messages:
/^.*v.*i.*a.*g.*r.*o.*$/i
/cr[eéèêë][\+\-\*=<>\.\,;!\?%&§@\^°\$£€\{\}()\[\]\|\\_01]dit/i

Block any word in a phrase

Use the following expression to block any word in a phrase:

/block|any|word/

FortiProxy 7.0 Administration Guide 481

Fortinet Inc.
Preload cache content and web crawler

You can configure FortiProxy to pre-load cache content based on manually defined URL patterns with scheduled
crawling function. This feature is useful for schools and hotels where popular content, such as video, can be predicted
ahead of schedule, downloaded outside of peak hours, and viewed by customers using the cache.
The following execute preload CLI commands list and describe configurable preload caching and web crawler
options.

execute preload list

Use this command to show currently active URLs and their run schedules:
execute preload list

For example:
URL's scheduled for preload:
http://google.com
Depth: 0, runs every 1 minutes, next run at Dec 23 16:49
http://google.ca
Depth: 5, runs every 2 minutes, next run at Dec 23 16:52
https://news.cnn.com
Depth: 1, runs every 5 minutes, next run at Dec 23 18:47

execute preload show-log

Use this command to display all the completed operations and their status.

execute preload url

Use this command to schedule a crawl, preload, refresh, or pin request for a given URL:
execute preload url <url> <depth> <at_time> <repeat_after> <repetitions> <user-agent>
<password>

l <url>: URL to preload.

l <depth>: Depth of preload.
l <at_time>: In the format of HHH:MM. HHH is hours from present (between 0-672), and MM is minutes from present
(between 0-59). The default is set to 0:00.
l <repeat_after>: HHH:MM. Set HHH between 0-168 and MM between 0-59. The default is set to 168:59 (max).
l <repetitions>: End after this many repetitions (between 1-365). The default is set to 1.
l <user-agent>: Specify client type (free text) to identify as a user agent. The default is set to "Wget/1.17 (linux-gnu)".
l <user>: Specify user name.
l <password>: Password for the user (asked for in a separate prompt).

FortiProxy 7.0 Administration Guide 482

Fortinet Inc.
execute preload url-delete

Use this command to delete a scheduled crawl, preload, refresh, or pin request for a given URL:
execute preload url-delete <url>

Use the following command, for example, to delete all operations for http://www.fortinet.com:
execute preload url-delete http://www.fortinet.com/

To view a list of pending crawls, see execute preload list on page 482.

Examples

The following command would fetch http://www.fortinet.com and do the following:

l preload cache immediately:
execute preload url http://www.fortinet.com/

l crawl it to depth two immediately:

execute preload url http://www.fortinet.com/ 2

l crawl it to depth two after ten minutes:

execute preload url http://www.fortinet.com/ 2 00:10

l crawl it to depth two after ten minutes and after 24 hours 30 times (that is,fetch the URL in ten minutes and every
day for 30 days):
execute preload url http://www.fortinet.com/ 2 00:10 24:00 30

l crawl with the user agent “Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:21.0) Gecko/20100101 Firefox/21.0”:
execute preload url http://www.fortinet.com/ 0 00:00 00:01 1 "Mozilla/5.0 (Macintosh;
Intel Mac OS X 10.8; rv:21.0) Gecko/20100101 Firefox/21.0"

FortiProxy 7.0 Administration Guide 483

Fortinet Inc.
Automatic backup to an FTP or TFTP server

You can schedule automatic FortiProxy backups to an FTP or TFTP server.

Manual backups to a remote FTP or TFTP using IPv4

To manually back up the full FortiProxy configuration to a remote FTP server:

execute backup full-config ftp <configuration_file_name> <FTP_server_IPv4_address> <user_

name> <password>

To manually back up the full FortiProxy configuration to a remote TFTP server:

execute backup full-config tftp <configuration_file_name> <TFTP_server_IPv4_address>

<password>

Specifying a password is optional for backing up to a TFTP server.

Manual backups to a remote FTP or TFTP using IPv6

Starting in FortiProxy 7.0.0, IPv6 addresses are supported in the execute backup and execute restore
commands to TFTP and FTP servers.

To back up a configuration file to an IPv6 TFTP server:

# execute backup config tftp fpx.conf 2000:172:16:200::55

To restore a configuration file from an IPv6 TFTP server:

# execute restore config tftp fpx.conf 2000:172:16:200::55

To back up a configuration file to an IPv6 FTP server:

# execute backup config ftp fpx.conf 2000:172:16:200::55 root xxxxxxxxxx

To restore a configuration file from an IPv6 FTP server:

# execute restore config ftp fpx.conf 2000:172:16:200::55 root xxxxxxxxxx

Scheduled automatic backups with an auto script

Use an auto script to schedule a FortiProxy backup and to define how many times to repeat the backup. The auto script
overrides the existing configuration file with the same name. Auto script does not support keeping all of the hourly
configuration files.
The following example shows how to automate the hourly backup of the FortiProxy configuration to an FTP server.

FortiProxy 7.0 Administration Guide 484

Fortinet Inc.
 FTP server: 10.1.5.241
FTP user: ftp_user
FTP user password: ftppassword
Name of the configuration file: FPX1_autoScript.conf
config system auto-script
edit "hourly_config_backup"
set interval 3600
set repeat 0
set start auto
set script "execute backup full-config ftp FPX1_autoScript.conf 10.1.5.241 ftp_user
ftppassword"
next
end

If the FTP auto script was executed successfully, the following is the result:
FPX1 $  execute auto-script status
========== #1, 2019-07-29 09:00:01 ==========
FPX1 $  execute backup full-config ftp FPX1_autoScript.conf 10.1.5.241 ftp_user ftppassword
Please wait...

Connect to ftp server 10.1.5.241 ...

Send config file to ftp server OK.

========== #2, 2019-07-29 10:00:01 ==========

FPX1 $  execute backup full-config ftp FPX1_autoScript.conf 10.1.5.241 ftp_user ftppassword
Please wait...

Connect to ftp server 10.1.5.241 ...

Send config file to ftp server OK.

The following example shows to automate the hourly backup of the FortiProxy configuration to a TFTP server:
config system auto-script
edit "hourly_config_backup"
set interval 3600
set repeat 0
set start auto
set script "execute backup full-config tftp FPX1_autoScript.conf 10.1.5.241"
next
end

The following is the full syntax of the auto-script CLI commands:

config system auto-script
edit <name>
# Configure auto script.
set name <string> Auto script name. The size is 35 characters.
set interval <integer> Repeat interval in seconds. The range is 0-31557600.
set repeat <integer> Number of times to repeat this script (0 = infinite). The
range is 0-65535.
set start {manual | auto} Script starting mode.
manual Starting manually.
auto Starting automatically.
set script <string> List of FortiProxy CLI commands to repeat. The size is 255
characters.

FortiProxy 7.0 Administration Guide 485

Fortinet Inc.
 set output-size <integer> Number of megabytes to limit script output to. The range
is 10-1024. The default is 10.
next
end

Manual backups with SCP

You can use the secure copy protocol (SCP) to perform manual backups of the FortiProxy configuration.
1. To enable SCP, run the following commands:
config system global
set admin-scp enable
end

2. Enable the SSH administrative access on the interface handling the SCP services.
3. Use any Linux client to download the FortiProxy configuration file using the following command:
$ scp admin@<FortiProxy_IP>:sys_config <location>

The following example is run using Lubuntu 19.04. This backup runs one time from the Linux client.
$ scp admin@10.1.5.252:sys_config ~/config/"FPX.autobackup.$(date +%Y%m%d_%H%M%S).conf"

The example downloads the configuration file and saves it to the ~/config folder with a file name of
FPX.autobackup.$(date +%Y%m%d_%H%M%S).conf.
Using $(date +%Y%m%d_%H%M%S) ensures that each configuration file has a unique file name, for example,
FPX.autobackup.20190729_110001.conf.

Scheduled automatic backups with SCP

To perform an hourly automatic backup, you need to run the SCP command as a cron job.
For example, you can use a bash script to run hourly backups with all the configuration files saved in the ~/config
folder.
NOTE: Remember to change the IP address to your own FortiProxy IP address before adding the following command to
a cron job. If the ~/config folder does not already exist, you need to create it before running the cron job.
#!bin/bash

# This command will pull a copy of the FortiProxy (10.1.5.252) using SCP on port 10104
# and save the config to the ~/config folder with the file-naming convention of
# FPX.autobackup.$(date +%Y%m%d_%H%M%S).conf

scp -P 10104 admin@10.1.5.252:sys_config ~/config/"FPX.autobackup.$(date

+%Y%m%d_%H%M%S).conf"

Save the bash script file to ~/auto_backup/hourly_backup.sh.

Add execution permission to the bash script file:
$ sudo chmod +x ~/auto_backup/hourly_backup.sh

Run the ls -l command on the Linux client:

FortiProxy 7.0 Administration Guide 486

Fortinet Inc.
 lubuntu@lubuntu-pc:~/auto_backup$ ls -l
total 4
-rwxr-xr-x 1 lubuntu lubuntu 106 Jul 29 14:41 hourly_backup.sh
lubuntu@lubuntu-pc:~/auto_backup$

To add the bash script to the cron table file, use the following command:
$ sudo crontab -e

# Edit this file to introduce tasks to be run by cron.

#
# Each task to run has to be defined through a single line
# indicating with different fields when the task will be run
# and what command to run for the task.
#
# To define the time, you can provide concrete values for
# minute (m), hour (h), day of month (dom), month (mon),
# and day of week (dow) or use '*' in these fields (for 'any').#
# Notice that tasks will be started based on the cron's system
# daemon's notion of time and time zones.
#
# Output of the cron table jobs (including errors) is sent through
# email to the user the cron tab file belongs to (unless redirected).
#
# For example, you can run a backup of all your user accounts
# at 5 a.m. every week with:
# 0 5 * * 1 tar -zcf /var/backups/home.tgz /home/
#
# For more information, see the manual pages of crontab(5) and cron(8)
#
# m h dom mon dow command
@hourly ~/auto_backup/hourly_backup.sh <==== Add this to the file and save it.

You can change the @hourly to @monthly or @weekly or @daily.

To verify that the backups were run correctly, look at the contents of the ~/config folder:
lubuntu@lubuntu-pc:~/config$ ls -l
total 784
-rw------- 1 lubuntu lubuntu 197872 Jul 29 11:00 FPX.autobackup.20190729_110001.conf
-rw------- 1 lubuntu lubuntu 197872 Jul 29 12:00 FPX.autobackup.20190729_120001.conf
-rw------- 1 lubuntu lubuntu 197872 Jul 29 13:00 FPX.autobackup.20190729_130001.conf
-rw------- 1 lubuntu lubuntu 197872 Jul 29 14:00 FPX.autobackup.20190729_140001.conf
lubuntu@lubuntu-pc:~/config$

FortiProxy 7.0 Administration Guide 487

Fortinet Inc.
Custom signature keywords

l information
l session
l content
l IP header
l TCP header
l UDP header
l ICMP
l other

Information keywords

attack_id

Syntax: --attack_id <id_int>;

Description:
Use this optional value to identify the signature. It cannot be the same value as any other custom rules. If an attack ID is
not specified, the FortiProxy automatically assigns an attack ID to the signature.
An attack ID you assign must be between 1000 and 9999.
Example: --attack_id 1234;

name

Syntax: --name <name_str>;

Description:
Enter the name of the rule. A rule name must be unique. The name you assign must be a string greater than 0 and less
than 64 characters in length.
Example: --name "Buffer_Overflow";

FortiProxy 7.0 Administration Guide 488

Fortinet Inc.
Session keywords

flow

Syntax: --flow {from_client[,reversed] | from_server[,reversed] | bi_direction };

Description:
Specify the traffic direction and state to be inspected. They can be used for all IP traffic.
Example: --src_port 41523; --flow bi_direction;
The signature checks traffic to and from port 41523.
If you enable “quarantine attacker”, the optional reversed keyword allows you to change the side of the connection to be
quarantined when the signature is detected.
For example, a custom signature written to detect a brute-force log in attack is triggered when “Login Failed” is detected
from_server more than 10 times in 5 seconds. If the attacker is quarantined, it is the server that is quarantined in this
instance. Adding reversed corrects this problem and quarantines the actual attacker.

service

Syntax: --service {HTTP | TELNET | FTP | DNS | SMTP | POP3 | IMAP | SNMP | RADIUS | LDAP
| MSSQL | RPC | SIP | H323 | NBSS | DCERPC | SSH | SSL};

Description:
Specify the protocol type to be inspected. This keyword allows you to specify the traffic type by protocol rather than by
port. If the decoder has the capability to identify the protocol on any port, the signature can be used to detect the attack
no matter what port the service is running on. Currently, HTTP, SIP, SSL, and SSH protocols can be identified on any
port based on the content.

app_cat

Syntax: --app_cat <category_int>;

Description:
Specify the category of the application signature. Signatures with this keyword are considered as application rules.
These signatures will appear under Application Control instead of IPS configuration. To display a complete list of
application signature categories, enter the following CLI commands:
config application list
edit default
config entries
edit 1
set category ?

weight

Syntax: --weight <weight_int>;

Description:
Specify the weight to be assigned to the signature. This keyword allows a signature with the higher weight to have
priority over a signature with a lower weight. This is useful to prioritize between custom and stock signatures and also

FortiProxy 7.0 Administration Guide 489

Fortinet Inc.
 between different custom signatures.
The weight must be between 0 an 255. Most of the signatures in the Application Control signature database have
weights of 10; botnet signatures are set to 250. A range of 20 to 50 is recommended for custom signatures.

Content keywords

byte_extract

Syntax: byte_extract:<bytes_to_extract>, <offset>, <name> \ [, relative][, multiplier

<multiplier value>][, <endian>]\ [, string][, hex][, dec][, oct][, align <align value>]
[, dce];

Description:
Use the byte_extract option to write rules against length-encoded protocols. This reads some of the bytes from the
packet payload and saves it to a variable.

byte_jump

Syntax: --byte_jump <bytes_to_convert>, <offset>[, multiplier][, relative] [, big] [,

little] [, string] [, hex] [, dec] [, oct] [, align];

Description:
Use the byte_jump option to extract a number of bytes from a packet, convert them to their numeric representation,
and jump the match reference up that many bytes (for further pattern matching or byte testing). This keyword allows
relative pattern matches to take into account numerical values found in network data. The available keyword options
include:
l <bytes_to_convert>: The number of bytes to examine from the packet.
l <offset>: The number of bytes into the payload to start processing.
l [multiplier]: multiplier is optional. It must be a numerical value when present. The converted value multiplied
by the number is the result to be skipped.
l relative: Use an offset relative to last pattern match.
l big: Process the data as big endian (default).
l little: Process the data as little endian.
l string: The data is a string in the packet.
l hex: The converted string data is represented in hexadecimal notation.
l dec: The converted string data is represented in decimal notation.
l oct: The converted string data is represented in octal notation.
l align: Round up the number of converted bytes to the next 32-bit boundary.

byte_test

Syntax: --byte_test <bytes_to_convert>, <operator>, <value>, <offset>[multiplier][,

relative] [, big] [, little] [, string] [, hex] [, dec] [, oct];

Description:
Use the byte_test keyword to compare a byte field against a specific value (with operator). This keyword is capable of
testing binary values or converting representative byte strings to their binary equivalent and testing them. The available

FortiProxy 7.0 Administration Guide 490

Fortinet Inc.
 keyword options include:
l <bytes_to_convert>: The number of bytes to compare.
l <operator>: The operation to perform when comparing the value (<,>,=,!,&).
l <value>: The value to compare the converted value against.
l <offset>: The number of bytes into the payload to start processing.
l [multiplier]: multiplier is optional. It must be a numerical value when present. The converted value multiplied
by the number is the result to be skipped.
l relative: Use an offset relative to last pattern match.
l big: Process the data as big endian (default).
l little: Process the data as little endian.
l string: The data is a string in the packet.
l hex: The converted string data is represented in hexadecimal notation.
l dec: The converted string data is represented in decimal notation.
l oct: The converted string data is represented in octal notation.

FortiProxy 7.0 Administration Guide 491

Fortinet Inc.
 depth

FortiProxy 7.0 Administration Guide 492

Fortinet Inc.
 Syntax: --depth <depth_int>;
Description:
Use the depth keyword to search for the contents within the specified number of bytes after the starting point defined by
the offset keyword. If no offset is specified, the offset is assumed to be equal to 0.
If the value of the depth keyword is smaller than the length of the value of the content keyword, this signature will never
be matched.
The depth must be between 0 and 65535.

distance

Syntax: --distance <dist_int>;

Description:
Use the distance keyword to search for the contents within the specified number of bytes relative to the end of the
previously matched contents. If the within keyword is not specified, continue looking for a match until the end of the
payload.
The distance must be between 0 and 65535.

content

Syntax: --content [!]"<content_str>";

Description:
Deprecated. See pattern on page 497 and context on page 493 keywords. Use the content keyword to search for the
content string in the packet payload. The content string must be enclosed in double quotes.
To have the FortiProxy unit search for a packet that does not contain the specified context string, add an exclamation
mark (!) before the content string.
Multiple content items can be specified in one rule. The value can contain mixed text and binary data. The binary data is
generally enclosed within the pipe (|) character.
The double quote ("), pipe sign(|) and colon(:) characters must be escaped using a back slash if specified in a content
string.
If the value of the content keyword is greater than the length of the value of the depth keyword, this signature will never
be matched.

context

Syntax: --context {uri | header | body | host};

Description:
Specify the protocol field to look for the pattern. If context is not specified for a pattern, the FortiProxy unit searches for
the pattern anywhere in the packet buffer. The available context variables are:
l uri: Search for the pattern in the HTTP URI line.
l header: Search for the pattern in HTTP header lines or SMTP/POP3/SMTP control messages.
l body: Search for the pattern in HTTP body or SMTP/POP3/SMTP email body.
l host: Search for the pattern in HTTP HOST line.

FortiProxy 7.0 Administration Guide 493

Fortinet Inc.
 no_case

FortiProxy 7.0 Administration Guide 494

Fortinet Inc.
 Syntax: --no_case;

FortiProxy 7.0 Administration Guide 495

Fortinet Inc.
 Description:

FortiProxy 7.0 Administration Guide 496

Fortinet Inc.
 Use the no-case keyword to force the FortiProxy unit to perform a case-insensitive pattern match.

offset

Syntax: --offset <offset_int>;

Description:
Use the offset keyword to look for the contents after the specified number of bytes into the payload. The specified
number of bytes is an absolute value in the payload. Follow the offset keyword with the depth keyword to stop looking for
a match after a specified number of bytes. If no depth is specified, the FortiProxy unit continues looking for a match until
the end of the payload.
The offset must be between 0 and 65535.

pattern

Syntax: --pattern [!]"<pattern_str>";

Description:
The FortiProxy unit will search for the specified pattern. A pattern keyword normally is followed by a context keyword to
define where to look for the pattern in the packet. If a context keyword is not present, the FortiProxy unit looks for the
pattern anywhere in the packet buffer. To have the FortiProxy search for a packet that does not contain the specified
URI, add an exclamation mark (!) before the URI.
Example: --pattern "/level/" --pattern "|E8 D9FF FFFF|/bin/sh" --pattern !"|20|RTSP/"

pcre

Syntax: --pcre [!]"/<regex>/[ismxAEGRUB]";

Description:
Similarly to the pattern keyword, use the pcre keyword to specify a pattern using Perl-compatible regular expressions
(PCRE). A pcre keyword can be followed by a context keyword to define where to look for the pattern in the packet. If no
context keyword is present, the FortiProxy unit looks for the pattern anywhere in the packet buffer.
For more information about PCRE syntax, go to http://www.pcre.org.
The switches include:
l i: Case insensitive.
l s: Include newlines in the dot metacharacter.
l m: By default, the string is treated as one big line of characters. ^ and $ match at the beginning and ending of the
string. When m is set, ^ and $ match immediately following or immediately before any newline in the buffer, as well
as the very start and very end of the buffer.
l x: White space data characters in the pattern are ignored except when escaped or inside a character class.
l A: The pattern must match only at the start of the buffer (same as ^ ).
l E: Set $ to match only at the end of the subject string. Without E, $ also matches immediately before the final
character if it is a newline (but not before any other newlines).
l G: Invert the “greediness” of the quantifiers so that they are not greedy by default, but become greedy if followed by
?.
l R: Match relative to the end of the last pattern match. (Similar to distance:0;).
l U: Deprecated, see the context on page 493 keyword. Match the decoded URI buffers.

FortiProxy 7.0 Administration Guide 497

Fortinet Inc.
 uri

Syntax: --uri [!]"<uri_str>";

Description:
Deprecated. See pattern and context keywords. Use the uri keyword to search for the URI in the packet payload. The
URI must be enclosed in double quotes ("). To have the FortiProxy unit search for a packet that does not contain the
specified URI, add an exclamation mark (!) before the URI. Multiple content items can be specified in one rule. The value
can contain mixed text and binary data. The binary data is generally enclosed within the pipe (|) character. The double
quote ("), pipe sign (|) and colon (:) characters must be escaped using a back slash (\) if specified in a URI string.

within

Syntax: --within <within_int>;

Description:
Use this together with the distance keyword to search for the contents within the specified number of bytes of the
payload.
The within value must be between 0 and 65535.

FortiProxy 7.0 Administration Guide 498

Fortinet Inc.
IP header keywords

dst_addr

Syntax: --dst_addr [!]<ipv4>;

Description:
Use the dst addr keyword to search for the destination IP address. To have the FortiProxy unit search for a packet that
does not contain the specified address, add an exclamation mark (!) before the IP address. You can define up to 28 IP
addresses or CIDR blocks. Enclose the comma separated list in square brackets.
Example: dst_addr [172.20.0.0/16, 10.1.0.0/16,192.168.0.0/16]

ip_dscp

Syntax: --ip_dscp
Description:
Use the ip_dscp keyword to check the IP DSCP field for the specified value.

ip_id

Syntax: --ip_id <field_int>;

Description:
Check the IP ID field for the specified value.

ip_option

Syntax: --ip_option {rr | eol | nop | ts | sec | lsrr | ssrr | satid | any};
Description:
Use the ip_option keyword to check various IP option settings.
The available options include:
l rr: Check if IP RR (record route) option is present.
l eol: Check if IP EOL (end of list) option is present.
l nop: Check if IP NOP (no op) option is present.
l ts: Check if IP TS (time stamp) option is present.
l sec: Check if IP SEC (IP security) option is present.
l lsrr: Check if IP LSRR (loose source routing) option is present.
l ssrr: Check if IP SSRR (strict source routing) option is present.
l satid: Check if IP SATID (stream identifier) option is present.
l any: Check if IP any option is present.

FortiProxy 7.0 Administration Guide 499

Fortinet Inc.
 ip_tos

Syntax: --ip_tos <field_int>;

Description:
Check the IP TOS field for the specified value.

ip_ttl

Syntax: --ip_ttl [< | >] <ttl_int>;

Description:
Check the IP time-to-live value against the specified value. Optionally, you can check for an IP time-to-live greater-than
(>) or less-than (<) the specified value with the appropriate symbol.

protocol

Syntax: --protocol {<protocol_int> | tcp | udp | icmp};

Description:
Check the IP protocol header.
Example: --protocol tcp;

src_addr

Syntax: --src_addr [!]<ipv4>;

Description:
Use the src_addr keyword to search for the source IP address. To have the FortiProxy unit search for a packet that does
not contain the specified address, add an exclamation mark (!) before the IP address. You can define up to 28 IP
addresses or CIDR blocks. Enclose the comma separated list in square brackets.
Example: src_addr 192.168.13.0/24

FortiProxy 7.0 Administration Guide 500

Fortinet Inc.
TCP header keywords

ack

Syntax: --ack <ack_int>;

Description:
Check for the specified TCP acknowledge number.

dst_port

Syntax: --dst_port [!]{<port_int> | :<port_int> | <port_int>: | <port_int>:<port_int>};

Description:
Use the dst_port keyword to specify the destination port number.
You can specify a single port or port range:
l <port_int> is a single port.
l :<port_int> includes the specified port and all lower numbered ports.
l <port_int>: includes the specified port and all higher numbered ports.
l <port_int>:<port_int> includes the two specified ports and all ports in between.

seq

Syntax: --seq [operator,]<number>[,relative];

Description:
Check for the specified TCP sequence number.
l operator includes =,<,>,!.
l relative indicates it is relative to the initial sequence number of the TCP session.

src_port

Syntax: --src_port [!]{<port_int> | :<port_int> | <port_int>: | <port_int>:<port_int>};

Description:
Use the src_port keyword to specify the source port number. You can specify a single port or port range:
l <port_int> is a single port.
l :<port_int> includes the specified port and all lower numbered ports.
l <port_int>: includes the specified port and all higher numbered ports.
l <port_int>:<port_int> includes the two specified ports and all ports in between.

FortiProxy 7.0 Administration Guide 501

Fortinet Inc.
 tcp_flags

Syntax: --tcp_flags <SAFRUP120>[!|*|+] [,<SAFRUP120>];

Description:
Specify the TCP flags to match in a packet.
l S: Match the SYN flag.
l A: Match the ACK flag.
l F: Match the FIN flag.
l R: Match the RST flag.
l U: Match the URG flag.
l P: Match the PSH flag.
l 1: Match Reserved bit 1.
l 2: Match Reserved bit 2.
l 0: Match No TCP flags set.
l !: Match if the specified bits are not set.
l *: Match if any of the specified bits are set.
l +: Match on the specified bits, plus any others.
The first part if the value (<SAFRUP120>) defines the bits that must be present for a successful match.
Example:
--tcp_flags AP only matches the case where both A and P bits are set.
The second part ([,<SAFRUP120>]) is optional, and defines the additional bits that can be present for a match.
For example tcp_flags S,12 matches the following combinations of flags: S, S and 1, S and 2, S and 1 and 2. The
modifiers !, * and + cannot be used in the second part.

window_size

Syntax: --window_size [!]<window_int>;

Description:
Check for the specified TCP window size. You can specify the window size as a hexadecimal or decimal integer. A
hexadecimal value must be preceded by 0x. To have the FortiProxy search for the absence of the specified window size,
add an exclamation mark (!) before the window size.

FortiProxy 7.0 Administration Guide 502

Fortinet Inc.
UDP header keywords

dst_port

Syntax: --dst_port [!]{<port_int> | :<port_int> | <port_int>: | <port_int>:<port_int>};

Description:
Specify the destination port number. You can specify a single port or port range:
l <port_int> is a single port.
l :<port_int> includes the specified port and all lower numbered ports.
l <port_int>: includes the specified port and all higher numbered ports.
l <port_int>:<port_int> includes the two specified ports and all ports in between.

src_port

Syntax: --src_port [!]{<port_int> | :<port_int> | <port_int>: | <port_int>:<port_int>};

Description:
Specify the destination port number. You can specify a single port or port range:
l <port_int> is a single port.
l :<port_int> includes the specified port and all lower numbered ports.
l <port_int>: includes the specified port and all higher numbered ports.
l <port_int>:<port_int> includes the two specified ports and all ports in between.

FortiProxy 7.0 Administration Guide 503

Fortinet Inc.
ICMP keywords

icmp_code

Syntax: --icmp_code <code_int>;

Description:
Specify the ICMP code to match.

icmp_id

Syntax: --icmp_id <id_int>;

Description:
Check for the specified ICMP ID value.

icmp_seq

Syntax: --icmp_seq <seq_int>;

Description:
Check for the specified ICMP sequence value.

icmp_type

Syntax: --icmp_type <type_int>;

Description:
Specify the ICMP type to match.

Other keywords

data_size

Syntax: --data_size {<size_int> | <<size_int> | ><size_int>;

Description:
Test the packet payload size. With data_size specified, packet reassembly is turned off automatically. So a signature
with data_size and only_stream values set is wrong.
l <size_int> is a particular packet size.
l <<size_int> is a packet smaller than the specified size.
l ><size_int> is a packet larger than the specified size.
Examples:
l --data_size 300;
l --data_size <300;
l --data_size >300;

FortiProxy 7.0 Administration Guide 504

Fortinet Inc.
 data_at

Syntax: --data_at <offset_int>[, relative];

Description:
Verify that the payload has data at a specified offset, optionally looking for data relative to the end of the previous content
match.

dump-all-html

Syntax: --dump-all-html
Description:
Dump all HTML files for benchmarking via iSniff. When there is no file type specified, all HTML files are dumped.

rate

Syntax: --rate <matches_int>,<time_int>;

Description:
Instead of generating log entries every time the signature is detected, use this keyword to generate a log entry only if the
signature is detected a specified number of times within a specified time period.
l <matches_int> is the number of times a signature must be detected.
l <time_int> is the length of time in which the signature must be detected, in seconds.

FortiProxy 7.0 Administration Guide 505

Fortinet Inc.
 For example, if a custom signature detects a pattern, a log entry will be created every time the signature is detected. If --
rate 100,10; is added to the signature, a log entry will be created if the signature is detected 100 times in the previous
10 seconds. Use this command with --track to further limit log entries to when the specified number of detections
occur within a certain time period involving the same source or destination address rather than all addresses.

rpc_num

Syntax: --rpc_num <app_int>[, <ver_int> | *][, <proc_int> | *>];

Description:
Check for RPC application, version, and procedure numbers in SUNRPC CALL requests. The * wild card can be used for
version and procedure numbers.

same_ip

Syntax: --same_ip;
Description:
Check that the source and the destination have the same IP addresses.

track

Syntax: --track {SRC_IP |DST_IP |DHCP_CLIENT |DNS_DOMAIN}[,block_int];

Description:
When used with --rate, this keyword narrows the custom signature rate totals to individual addresses.
l SRC_IP:  tracks the packet's source IP.
l DST_IP:  tracks the packet's destination IP.
l DHCP_CLIENT:  tracks the DHCP client's MAC address.
l DNS_DOMAIN:  counts the number of any specific domain name.
l block_int has the FortiProxy unit block connections for the specified number of seconds, from the client or to the
server, depending on which is specified.
For example, if --rate 100,10 is added to the signature, a log entry will be created if the signature is detected 100
times in the previous 10 seconds. The FortiProxy unit maintains a single total, regardless of source and destination
address.
If the same custom signature also includes --track client; matches are totaled separately for each source address. A
log entry is added when the signature is detected 100 times in 10 seconds within traffic from the same source address.
The --track keyword can also be used without --rate. If an integer is specified, the client or server will be blocked for
the specified number of seconds every time the signature is detected.

FortiProxy 7.0 Administration Guide 506

Fortinet Inc.
 www.fortinet.com

Copyright© 2023 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein
may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were
attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance
results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract,
signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only
the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal
conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change,
modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.